Concerned about recent PAN-OS and other firewall/VPN CVEs? Take advantage of Zscaler’s special offer today

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Unlike Popular Belief, Short Links on Twitter Aren't Malicious!

March 29, 2010 - 3 min read
Twitter recently announced that it has implemented a new security system to scan all URLs posted in tweets to protect users from malicious sites. This follows a similar announcement from in November 2009


Twitter, and the URL shorteners it has helped to popularize, have long been blamed for leading users to malicious sites. I posted on this topic 3 weeks ago and argued that this may not be true. I wanted to additionally do a thorough investigation of the Twitter links both before the security scan and after.


I have retrieved more than 1 million URLs (1,314,615 to be exact) from the public timeline over a couple of weeks before they put any protections in place. I then ran the links through the Zscaler infrastructure to find out which links lead to malicious sites.

The state of the Twitter links
 Prevalence of hostnames on Twitter


As expected, URL shorteners are very popular on Twitter, and represents 40% of all links. TinyUrl, one of the original URL shorteners, comes in 3rd with only 5% of all URLs.


How many malicious links?
I looked for malicious sites - phishing sites, malware, etc. I did not look for spam, only for pages that present a security risk to users.
To my surprise, a very low number of links led to malicious pages - only 773, links, 0.06% of all links scanned, redirected to malicious content.
  Types of malicious sites
Here is the distribution of malicious links by host name:
Image represents 40% of all links, and roughly the same proportion of malicious links. Same case for TinyUrl:  5% of all URLs and 6 % of all malicious sites. It does not look like’s phishing and malware protection is making it any safer than other URL shorteners. is used to share images, so it is unlikely to be used for malicious content. Mediafire is known for hosting malware and other viruses, even if it is not blocked by Google Safe Browsing.


Note that these links may have been scanned up to 4 weeks after they were collected. Bad sites may already have been taken down, or cleaned up.

Can Twitter and really protect their users?
The key to protecting end users, is real-time scanning of both the URL and the content. Twitter and can only scan the links periodically.  Malicious websites try to hide their malicious content to non-users by checking the user agent or geography and by requiring a real browser which fully understands Javascript, Flash, etc.  An attacker can present harmless content to the Twitter or scanners, but harmful content to a real user.
But remember that only 0.06% of all the URLs tests represented a security risk. It is actually much safer to follow link s from Twitter that from some search results on Google!

-- Julien

form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.