wan show topic Twitter (X) Introduces URL Substitution to X.com, Raises Phishing Concerns; Feature Rolled Back Following Community Backlash

[JosephL]

Summary

 X, formally known as Twitter forces url substitution to X.com, making users potentially vulnerable to phishing.  Twitter rolls back feature after community pushback.

 

Quotes

Quote

 

“X, the social media formerly known as Twitter, has started automatically modifying links that ended in “twitter.com” to read as “x.com.”

Since the modification on April 9, the platform reads any web page ending in “twitter.com” as “x.com.” Although no actual redirection happened, the website renders any link ending in the platform’s old domain to display the new one”

 

“The company’s bold move triggered a chain reaction in the ranks of disheartened or concerned users, who registered no less than 60 domains to prove its inefficacy.

Domains like “fedetwitter[.]com,” “roblotwitter[.]com,” “neobutwitter[.]com,” and other domains ending in “twitter.com” have been registered over the past few days.”

 

 

My thoughts

 This article is a few weeks old, but it would be a really interesting WAN Show discussion.  This is another example of Twitter/X making sudden decisions without much thought to how it would impact the platform.  At what point do users decide to leave the platform, in search of one with more stability?  I love how the user base has become unpaid employees of the platform, since they have reduced their workforce so much that no one seems to see issues with these features until they make it to production.

 

Sources

 https://www.bitdefender.com/blog/hotforsecurity/xs-enforced-url-substitution-to-x-com-domains-an-invitation-to-phishing-attacks/

[Sauron]

1 hour ago, JosephL said:

At what point do users decide to leave the platform, in search of one with more stability?

The problem is that there isn't really a 1:1 equivalent, despite the terrible management it still scratches an itch no other platform does (at least so I'm told, not being on twitter myself).

 

However things like this are what's driving away twitter's main advertisers, meaning the platform's finances are going to be worse and worse the longer this goes on.

[darknessblade]

The problem with Single Letter URL's is also that if you have other sites that start with said letter you might accidentally visit one of those due to the auto-complete feature browsers have

[Avocado Diaboli]

I love when people make fun of the genius ideas of the world's richest baby. Even his only good idea out of this whole debacle, which was to open up community notes (which already existed before he took over, so he doesn't get to take credit for that, because everything he touches already existed) to the public is used to make fun of him whenever he spews constant nonsense. Heck, even just the fact that it has been almost a year since the rebrand and everybody is still just calling it Twitter, with media publications doing the "X, formerly Twitter" thing is hilarious. We let Facebook get away with their Meta rebrand, and yet, Elon just can't manage to convince people that "no seriously guys, X is like the cooles letter of the alphabet, so we gotta use that as our umbrella". 

[JosephL]

1 hour ago, darknessblade said:

The problem with Single Letter URL's is also that if you have other sites that start with said letter you might accidentally visit one of those due to the auto-complete feature browsers have

And what a wonderful choice of letter to let the browser explore its’ autocomplete options 

[Spotty]

1 hour ago, darknessblade said:

The problem with Single Letter URL's is also that if you have other sites that start with said letter you might accidentally visit one of those due to the auto-complete feature browsers have

Why would that problem be unique to single letter URLs? If you type "x.com" in the URL bar it will take you to x.com. The only problem would be if you type "x" and then choose one of the suggested URLs - but if you end up somewhere you did not intend then that's the users fault for relying on the suggested URLs and selecting the wrong suggested URL. That's not a problem that is unique to single letter URLs though, or even typing just a single letter in to the browser bar and letting the browser do the rest of the work. If you type "linu" and then let it autocomplete (choose one of the suggested URLs) then you might end up at linustechtips.com, or you might end up at linusmediagroup.com, maybe linux.org, or possibly something completely different depending on your browsing history.

[da na]

X.com is tainting the good name of XCOM

[Doobeedoo]

People still talk about this X or urm ksss site?

[bcredeur97]

It'll always be twitter to me

[wanderingfool2]

Can someone who actually saw examples of this clarify, was Twitter modifying the href and/or the text? i.e. <a href="texta">textb</a> [is it texta, the href or textb that was modified]

 

The 3 different outcomes can drastically change the practicality of a phishing attack;

href and text: Overall not too big of an issue for phishing

href: Not really a big issue as any practical phishing would be difficult

text: Would be a big issue here.

 

5 hours ago, JosephL said:

At what point do users decide to leave the platform, in search of one with more stability?  I love how the user base has become unpaid employees of the platform, since they have reduced their workforce so much that no one seems to see issues with these features until they make it to production.

I think this is coming a bit of an ignorant stance of what Twitter was before.

 

Mudge's report, a hacker/security expert, wrote a report prior to Elon buying it and it was terrible.  Direct modifications to the production environment with no testing was the culture that existed then, with a vast amount of employees who had access to the feed without proper logging of modification, and worse Twitters backup solution was so bad that iirc if any two datacenters experienced an outage at the same time Twitter's infrastructure would have collapsed and been impossible to spin back up.

 

Twitter was overbloated with employees, it really doesn't mean much in regards to the reduced workforce.

 

2 hours ago, Spotty said:

Why would that problem be unique to single letter URLs? If you type "x.com" in the URL bar it will take you to x.com. The only problem would be if you type "x" and then choose one of the suggested URLs - but if you end up somewhere you did not intend then that's the users fault for relying on the suggested URLs and selecting the wrong suggested URL. That's not a problem that is unique to single letter URLs though, or even typing just a single letter in to the browser bar and letting the browser do the rest of the work. If you type "linu" and then let it autocomplete (choose one of the suggested URLs) then you might end up at linustechtips.com, or you might end up at linusmediagroup.com, maybe linux.org, or possibly something completely different depending on your browsing history.

I'd argue a single letter URL would be harder to mistype or drop a letter than some longer ones.

 

linustechtips.com vs linustechtip.com; lot easier to drop the s while typing and not realizing...or google.com vs googel.com something that happens quite often.

 

One would find it very difficult to type x.com wrong enough and still not recognize it being wrong to be redirected to a different sight.

[Avocado Diaboli]

12 minutes ago, wanderingfool2 said:

Can someone who actually saw examples of this clarify, was Twitter modifying the href and/or the text? i.e. <a href="texta">textb</a> [is it texta, the href or textb that was modified]

 

The 3 different outcomes can drastically change the practicality of a phishing attack;

href and text: Overall not too big of an issue for phishing

href: Not really a big issue as any practical phishing would be difficult

text: Would be a big issue here.

We wouldn't be talking about it if it wasn't just changing the text of the hyperlink but leaving the URL intact, at least not in the context of phishing. You can see some examples of what it looked like when people typed URLs ending in "twitter.com" and how the text was changed but keeping the URL intact.

https://mashable.com/article/twitter-dot-com-posts-change-to-x-dot-com-ios

[Spotty]

21 minutes ago, wanderingfool2 said:

Can someone who actually saw examples of this clarify, was Twitter modifying the href and/or the text? i.e. <a href="texta">textb</a> [is it texta, the href or textb that was modified]

textb

The text in tweets was modified but the URL was not. This meant if you posted a link to netflitwitter.com it would show the link as netflix.com but if you clicked the link it would go to netflitwitter.com

For example: netflix.com

 

Quote

Security reporter Brian Krebs called the move "a gift to phishers" in an article yesterday. It was a phishing risk because scammers could register a domain name like "netflitwitter.com," which would appear as "netflix.com" in posts on X, but clicking the link would take a user to netflitwitter.com.

 

 

The reason I suspect they didn't change the URL as well is because x.com currently just redirects to twitter.com anyway. There's no benefit to changing the URL to x.com since it would just redirect back to twitter.com. Twitter just wanted it to display in the app as x.com but actually direct to twitter.com

Edited April 24 by Spotty

[RejZoR]

This whole dumb rebranding of Twitter as X is such a massive shitshow it's incredible. None of this X crap makes any sense. It's like Elon has zero clue about branding and everyone is glorifying him as this entrepreneur genius. ?!

[wanderingfool2]

19 minutes ago, Avocado Diaboli said:

We wouldn't be talking about it if it wasn't just changing the text of the hyperlink but leaving the URL intact, at least not in the context of phishing. You can see some examples of what it looked like when people typed URLs ending in "twitter.com" and how the text was changed but keeping the URL intact.

https://mashable.com/article/twitter-dot-com-posts-change-to-x-dot-com-ios

Actually, you will find that a lot of things will be "talked about" when it involves Musk; even if it has no impact or is just made up stuff sometimes [most recent example, the news agencies who all reported on the cancellation of Tesla's $25,000 car which took the stock down by 8%...except as it turns out Tesla is ahead of schedule on that or the firing of 10% of the Tesla workforce,  where what's left out is every 2 years they have done a similar purge].

 

Lots of security stuff actually ends up getting click-baited, even when it doesn't serve any practical purposes except theoretical.

 

While I do think in this scenario it is valid, just because something is talked about one shouldn't assume that it's the worst case [as time and time again we hear of things like this, but learn that it's not really as bad...as an example the 23andme...they weren't hacked, someone just stole peoples passwords and people reused them but everyone talked as though 23andme was somehow lacking in cybersecurity]

[strajk-]

So the marvelous engineers at Twitter didn't see the red flag of their implementation of targeting only the end of the string instead of the domain as a whole? Babies first regex.

[Kisai]

On 4/24/2024 at 12:01 PM, wanderingfool2 said:

 

 

One would find it very difficult to type x.com wrong enough and still not recognize it being wrong to be redirected to a different sight.

 

You know how I visit LTT forums? I type L in the address bar and it's the first thing that pops up. What you may not know is that it tends to autocomplete to the news forum.

 

If I visit Slashdot, the browser autocomplete figures it out by SL, but if I hit enter before the autocomplete finishes, it will instead try to google "SL" and come up with a bunch of random youtube videos.

 

I can repeat this for several domains I go to. The basic idea is the browser autocomplete tries to remember where you went, and if you get phished, or visit something that was "short url substituted" with x.com, now there's a 100% chance of accidently re-victimizing yourself over and over because the browser sends you to x dot com / something_other_than_what_you_wanted rather than the x dot com website home page.

 

link shorteners largely went away due to this sheer level of abuse by people who use it to disguise malware, because all the redirects are hard to grab and trace to send it to virustotal and such.

 

Last thing you want is AV products to mark "x.com is a phishing site, DANGER DANGER"

 

Link shortening and substitution should not happen. Period. At least not under the domain of the website. Come up with a URL that is used exclusively for that, and that alone, and make sure that you have to login with x dot com to create a link, and interstitial it with the x dot com embedded post from where it was created so people know why it exists.

[Brooksie359]

On 4/24/2024 at 7:51 AM, Avocado Diaboli said:

I love when people make fun of the genius ideas of the world's richest baby. Even his only good idea out of this whole debacle, which was to open up community notes (which already existed before he took over, so he doesn't get to take credit for that, because everything he touches already existed) to the public is used to make fun of him whenever he spews constant nonsense. Heck, even just the fact that it has been almost a year since the rebrand and everybody is still just calling it Twitter, with media publications doing the "X, formerly Twitter" thing is hilarious. We let Facebook get away with their Meta rebrand, and yet, Elon just can't manage to convince people that "no seriously guys, X is like the cooles letter of the alphabet, so we gotta use that as our umbrella". 

Honestly I don't know anyone who refers to Facebook as meta. I think the meta rebrand was just as stupid tbh but I guess that's just me. If anything whenever I hear meta I am reminded of the metaverse demo they had which is significantly worse than VR chat even with a stupidly large budget.