Twitter trouble for Jonathan Ross as celebrity falls foul of security issue

May 19, 2009 Sophos Press Release

IT security and control firm Sophos is calling on Twitter to allow its members to fully delete posts following news that last night Jonathan Ross accidentally revealed his personal email address on the micro-blogging service.

Ross, who is a huge fan of Twitter and has more than a quarter of a million followers, posted his full email address for all to see, but realising his mistake, quickly deleted the message from his Twitter timeline. However, Sophos can reveal that he is just the latest user to fall for a gaping security hole in the way Twitter works - when you 'delete' a post on Twitter, it is never really deleted. By simply using Twitter's Advanced search facility, all posts (whether they have been deleted or not) can be found.

Jonathan Ross's email slip underlines Twitter security problem from SophosLabs on Vimeo.

According to Sophos, this is a serious security issue as people will always accidentally type something they didn't mean to, or post the message in public rather than send as a direct mail. Twitter needs to recognise this and allow its members to properly delete any message they choose from all of Twitter, not just their own stream.

"There's no reason for Twitter to keep these posts and in fact, this is really irresponsible behaviour," said Graham Cluley, senior technology consultant at Sophos. "In Ross's case, his email address could have been scooped by spammers or used by fraudsters pretending to be the star. And, with so many fervent fans, there's a risk Ross will get bombarded with so many emails requesting he send a signed photo, open the local garden fete, or simply pass on the mobile numbers of his celebrity buddies, that his inbox could effectively burst at the seams. Accidents like this will happen, and Twitter should be helping, not hindering, its users to clean up the mess afterwards. For Ross, his best bet is to change his email address as soon as possible."