- Bad actors could abuse Twitter URLs by simply changing the username but using a status ID that points to a tweet from an account controlled by them.
- In this way, attackers could spread fake news or malicious content as users click on the tweet thinking it is from a trusted source.
Twitter URLs could be abused by bad actors for various nefarious activities including distributing malware, spread fake news, and redirecting users to a phishing page.
How does this work?
A URL to a tweet contains a username and the tweet's status ID, however, the username is irrelevant in pointing to a specific tweet, while only the status ID is required.
For example, the following URLs will all point to the same tweet despite the username being different, because the status ID is the same.
This allows attackers to manipulate the URL and trick users into believing that a Twitter user is promoting a particular tweet and its content. By this way, attackers could spread fake news or malicious content as users click on the Tweet thinking it is from a trusted source.
A security researcher named Davy Wybiral offered a sample of this abuse technique by posting a link which had the username of President Donald Trump but the status ID redirected to a tweet from the researcher.
Anyone clicking on the link will think that the tweet is from Donald Trump, but it redirects to a tweet which says, “He's right you know. The practice of sharing screencaps of tweets can be abused for spreading disinformation.”
Similarly, BleepingComputer also created a proof of concept for this abuse technique by posting a link which had the username of the National Security Agency, however, the status ID redirects to a tweet from an account controlled by them.
Upon clicking, it redirects to a tweet which says, “We observed activity from multiple hacker groups linked to intelligence agencies in several countries that work together to achieve world domination. Our report is now live: https://bit.ly/2KNZ010.”
This redirection trick is even more powerful on mobile devices, as the redirect is completely hidden and the tweet opens in the Twitter client.