Twitter URLs could be abused to promote scams and distribute malware

• Bad actors could abuse Twitter URLs by simply changing the username but using a status ID that points to a tweet from an account controlled by them.
• In this way, attackers could spread fake news or malicious content as users click on the tweet thinking it is from a trusted source.

Twitter URLs could be abused by bad actors for various nefarious activities including distributing malware, spread fake news, and redirecting users to a phishing page.

How does this work?

A URL to a tweet contains a username and the tweet's status ID, however, the username is irrelevant in pointing to a specific tweet, while only the status ID is required.

https[:]//www[.]twitter[.]com/<username>/status/<status ID>

For example, the following URLs will all point to the same tweet despite the username being different, because the status ID is the same.

• https[:]//www[.]twitter[.]com/abc/status/1087839317534363648
• https[:]//www[.]twitter[.]com/xyz/status/1087839317534363648
• https[:]//www[.]twitter[.]com/1234/status/1087839317534363648

This allows attackers to manipulate the URL and trick users into believing that a Twitter user is promoting a particular tweet and its content. By this way, attackers could spread fake news or malicious content as users click on the Tweet thinking it is from a trusted source.

Sample tweet

A security researcher named Davy Wybiral offered a sample of this abuse technique by posting a link which had the username of President Donald Trump but the status ID redirected to a tweet from the researcher.

https://mobile.twitter.com/realDonaldTrump/status/1087839317534363648

Anyone clicking on the link will think that the tweet is from Donald Trump, but it redirects to a tweet which says, “He's right you know. The practice of sharing screencaps of tweets can be abused for spreading disinformation.”

Similarly, BleepingComputer also created a proof of concept for this abuse technique by posting a link which had the username of the National Security Agency, however, the status ID redirects to a tweet from an account controlled by them.

https://twitter.com/NSAGov/status/1139201495856025605

Upon clicking, it redirects to a tweet which says, “We observed activity from multiple hacker groups linked to intelligence agencies in several countries that work together to achieve world domination. Our report is now live: https://bit.ly/2KNZ010.”

Worth noting

This redirection trick is even more powerful on mobile devices, as the redirect is completely hidden and the tweet opens in the Twitter client.