Much of Twitter came to a screeching halt last night when millions of links went dark at once. Ironically, the cause wasn't hackers, but a complaint about a potential phishing scam that put the brakes on Twitter's t.co link shortening service.
Character space on Twitter is valuable. The short and to-the-point nature of the platform has reduced messages from some of the most accomplished and respected figures into middle schl txt speak dat oftn looks like dis. So when Twitter began to automatically convert long links into short ones, in a practice called link wrapping, there was much to celebrate.
But the micro-blogging service opened itself up to a vulnerability it hadn't had before: a single point-of-failure that could cause all Twitter links to break.
That's exactly what happened on Sunday when an Australian domain registrar placed a "ClientHold status" on the t.co domain in response to a phishing complaint that was likely bogus. A spokesperson for the registrar, Melbourne IT, said they "inadvertently placed the t.co domain on hold," sending users to a page that informed them of the "nonexistent domain," for total time of about 40 minutes.
ClientHold is a tool that registrars usually use to stop service to websites with unpaid bills. It states that "information MUST NOT be published" when the ClientHold is in place, CNET reported.
When the move to begin link wrapping was announced last August, Twitter touted their new link wrapping scheme as a way to better "understand how users engage" and "protect users from malicious sites and scams," but did not mention the fact that all wrapped links would break if the central domain is compromised.
It appears that links from other URL-shrinking services and all links under 20 characters were not affected.
In case this happens in the future, CNET pointed readers to helpful workaround. Twitter users can replace the dot (.) in a Web address with its HTML equivalent (.) to keep Twitter from automatically wrapping the link into a t.co link. For example, instead of writing technewsdaily.com, you would write technewdaily.com.
Twitter's auto-link wrapping is a convenient time-saver and a great method to help users save characters as they tweet, but it's an instance of developers choosing simplicity over security. Had Twitter diversified its link shortening service to just two domains instead of one, they could have mitigated the problem by half.
The Internet is a fragile place. Tread lightly. All it takes is one wrong move to break it.
Follow Ben on Twitter.
