- Bad actors could abuse Twitter URLs by simply changing the username but using a status ID that points to a tweet from an account controlled by them.
- In this way, attackers could spread fake news or malicious content as users click on the tweet thinking it is from a trusted source.
Twitter URLs could be abused by bad actors for various nefarious activities including distributing malware, spread fake news, and redirecting users to a phishing page.
How does this work?
A URL to a tweet contains a username and the tweet's status ID, however, the username is irrelevant in pointing to a specific tweet, while only the status ID is required.
https[:]//www[.]twitter[.]com/<username>/status/<status ID>
For example, the following URLs will all point to the same tweet despite the username being different, because the status ID is the same.
- https[:]//www[.]twitter[.]com/abc/status/1087839317534363648
- https[:]//www[.]twitter[.]com/xyz/status/1087839317534363648
- https[:]//www[.]twitter[.]com/1234/status/1087839317534363648
This allows attackers to manipulate the URL and trick users into believing that a Twitter user is promoting a particular tweet and its content. By this way, attackers could spread fake news or malicious content as users click on the Tweet thinking it is from a trusted source.
Sample tweet
A security researcher named Davy Wybiral offered a sample of this abuse technique by posting a link which had the username of President Donald Trump but the status ID redirected to a tweet from the researcher.
https://mobile.twitter.com/realDonaldTrump/status/1087839317534363648
Anyone clicking on the link will think that the tweet is from Donald Trump, but it redirects to a tweet which says, “He's right you know. The practice of sharing screencaps of tweets can be abused for spreading disinformation.”
Similarly, BleepingComputer also created a proof of concept for this abuse technique by posting a link which had the username of the National Security Agency, however, the status ID redirects to a tweet from an account controlled by them.
https://twitter.com/NSAGov/status/1139201495856025605
Upon clicking, it redirects to a tweet which says, “We observed activity from multiple hacker groups linked to intelligence agencies in several countries that work together to achieve world domination. Our report is now live: https://bit.ly/2KNZ010.”
Worth noting
This redirection trick is even more powerful on mobile devices, as the redirect is completely hidden and the tweet opens in the Twitter client.
Publisher
/https://cystory-images.s3.amazonaws.com/shutterstock_255324202.jpg)
/https://cystory-images.s3.amazonaws.com/shutterstock_383489932.jpg)
