Found an interesting spam/scam scheme today:
- Attacker posts their link that redirects to a legit news article
- Twitter resolves the redirect to news article
- Twitter hides link from Tweet and displays Twitter Card with news domain
- Attacker changes redirect to spam site
The Tweet now displays a legit looking Twitter Card with the news website domain, but actually goes to the scammer.
Something like this: https://twitter.com/0xjomo/status/1039583601367629825
This is why URL shorteners should always be considered a security risk.
By filtering visitors by referer or datacentre/domestic IP you could probably set these up in a one-step manner, too..
@cathal the referrer is an optional HTTP header and not always sent, but it's quite possible they only do the redirect when the request comes from a Twitter IP.
@jomo Ran into this unintentionally at my last job. The card caching is crazy too. Some promotions would be down for years and the card still existed... super safe for users!
@jomo Oh! And I forgot, after years of building Twitter content for promos, Twitter would hit our servers to try and update meta-data from those same ancient, dead promos. They DoS'ed us one day when their system decided to refresh everything within a few minutes.
@jomo awesome, now even first-party URL shorteners are a public safety issue.