Twitter URLs could be abused to promote scams and distribute malware

Twitter URLs could be abused to promote scams and distribute malware

  • Bad actors could abuse Twitter URLs by simply changing the username but using a status ID that points to a tweet from an account controlled by them.
  • In this way, attackers could spread fake news or malicious content as users click on the tweet thinking it is from a trusted source.

Twitter URLs could be abused by bad actors for various nefarious activities including distributing malware, spread fake news, and redirecting users to a phishing page.

How does this work?

A URL to a tweet contains a username and the tweet's status ID, however, the username is irrelevant in pointing to a specific tweet, while only the status ID is required.

https[:]//www[.]twitter[.]com/<username>/status/<status ID>

For example, the following URLs will all point to the same tweet despite the username being different, because the status ID is the same.

  • https[:]//www[.]twitter[.]com/abc/status/1087839317534363648
  • https[:]//www[.]twitter[.]com/xyz/status/1087839317534363648
  • https[:]//www[.]twitter[.]com/1234/status/1087839317534363648

This allows attackers to manipulate the URL and trick users into believing that a Twitter user is promoting a particular tweet and its content. By this way, attackers could spread fake news or malicious content as users click on the Tweet thinking it is from a trusted source.

Sample tweet

A security researcher named Davy Wybiral offered a sample of this abuse technique by posting a link which had the username of President Donald Trump but the status ID redirected to a tweet from the researcher.

https://mobile.twitter.com/realDonaldTrump/status/1087839317534363648

Anyone clicking on the link will think that the tweet is from Donald Trump, but it redirects to a tweet which says, “He's right you know. The practice of sharing screencaps of tweets can be abused for spreading disinformation.”

Similarly, BleepingComputer also created a proof of concept for this abuse technique by posting a link which had the username of the National Security Agency, however, the status ID redirects to a tweet from an account controlled by them.

https://twitter.com/NSAGov/status/1139201495856025605

Upon clicking, it redirects to a tweet which says, “We observed activity from multiple hacker groups linked to intelligence agencies in several countries that work together to achieve world domination. Our report is now live: https://bit.ly/2KNZ010.”

Worth noting

This redirection trick is even more powerful on mobile devices, as the redirect is completely hidden and the tweet opens in the Twitter client.

READ PREVIOUS
Attackers leverage NSA hacking tools to target business ...

Malware and Vulnerabilities

READ NEXT
Critical vulnerabilities in Alaris Gateway Workstation ...

Malware and Vulnerabilities

EVENTS
News and Updates, Hacker News - discuss

Write to us at
contact@cyware.com

Follow us on

Visit Us
Cyware Labs, 1460 Broadway, New York, NY 10036

Download Cyware Social App
Terms of Use Privacy Policy © 2020