Once Again, ExTwitter Makes Links Dangerous; The Kind Of Thing A Trust & Safety Team Would Catch
from the of-course-it's-bad dept
Just a few weeks ago, we pointed out that the purpose of a trust & safety team is not, as Elon Musk falsely claims, to “censor” users, but rather to make sure they’re safe on the site. We were highlighting this in the context of Elon’s site disguising posted links in a manner that made it easier for scammers to trick people into thinking they were going to a reputable site, when they were not.
It looks like things have gotten even worse on that front. As Matt Binder pointed out at Mashable, ExTwitter has been experimenting with forcing the word “twitter” to change to “x” throughout the app. This is because, since Musk’s hasty change of names, which it was clear the company was unable to prepare for, the word “twitter” still remains all over the app. So, it seems like Musk was getting fed up of being reminded of the old app (you know, the one that actually worked most of the time and didn’t fall over every few days).
Scarily, this auto-change appears to happen even in the display of links in the iOS app, leading to crazy situations where people post domains with ‘twitter” in them, and ExTwitter makes them appear like they’re saying “x.”
But, this creates… a pretty massive security problem as the article describes:
Let’s say someone owns the domain name “NetfliTwitter.com.” Why would they own that domain name? Because if X is automatically changing anything that includes “Twitter.com” to “X.com,” then that means posting “NetfliTwitter.com” on X would make it appear in posts as “Netflix.com,” the popular movie streaming service. And if a user clicked the linked “Netflix.com” text that appears in that post, it would really take them to “NetfliTwitter.com.” Because while X is changing the text that the user wrote, the URL it links and directs to remains the same as the user posted.
This is a dream scenario for someone looking to steal passwords through phishing campaigns.
Luckily, two of the most popular domains that include a prominent “x” that could be used in this manner for phishing have been grabbed by good samaritans (not ExTwitter, of course) to prevent them from being abused:
The example I just provided isn’t a hypothetical either. Some users on X noticed this very problem and found that it could quickly be utilized by scammers, hackers, and other bad actors. X user @yuyu0127_ quickly registered the domain name “NetfliTwitter.com” in order to prevent it from being weaponized and put up a warning page on the URL about the potential issues in X’s changes.
“This domain has been acquired to prevent its use for malicious purposes,” reads the headline text on “NetfliTwitter.com.”
Another domain name “seTwitter.com” was also registered due to its potential to be exploited as X would then change how the URL is viewed on the platform to “sex.com.” The X user, @amasato_mochi, who registered that domain name, also put up a warning page in order to put a spotlight on the issue.
“Please be very careful not to access suspicious URLs,” reads seTwitter.com. “I will hold onto this domain for a year to prevent any harm.”
But still, this is a hugely problematic “feature,” and the kind of thing that a good trust & safety team would have recognized before the product ever rolled off the line and was handed to everyone to abuse.
One key job of trust & safety is to red-team new features to think about how they might be abused and to prevent such abuses before they happen. But when you fire all the experienced trust & safety folks, you’re going to continue to make these kinds of mistakes that make users way less safe, leading to significantly decreased trust.
Filed Under: elon musk, links, phishing, trust & safety, urls
Companies: twitter, x
Comments on “Once Again, ExTwitter Makes Links Dangerous; The Kind Of Thing A Trust & Safety Team Would Catch”
Leave it to the great innovator Elon Musk to find a way to cause an instance of the decades-old Scunthorpe Problem on his site.
Re:
Turns out he’s speedrunning the content moderation learning curve in reverse.
Re: Re:
You forget, this is musk. He’s not running a moderation curve.
He’s speedrunning a moderation 8 dimensional hypermembrane.
Re:
And these are just the stupid decisions that we see.
Re: Re:
And after the last competent employees tried to fix most of them, if not the users themselves.
Back when those “Cloud to Butt” plugins were all the rage, there was one of them that would rewrite even the domains in calls to third-party CDNs.
Most of the time, this wasn’t much of an issue. When it became an issue was when our content filtering triggered on half a dozen or so different people all trying to visit the same porn site on our network: buttfront dotcom
One person getting bounced trying to visit a porn site is something that happens. Maybe it was an accident, or some script on some website, or maybe they even just didn’t realize they were using their work computer. I don’t care. It happens.
When you’ve got several people getting bounced trying to hit the same porn site, something is very badly wrong.
Turns out that something was a Scunthorpe problem in the Cloud-to-Butt plugin, encountering calls to Amazon cloudfront.
Elon has implemented a brand new Scunthorpe problem on Twitter. That problem was named in 1996. Nearly 30 fucking years ago. And there was awareness of it before then within the industry.
Literally, the Scunthorpe problem is one of the first content moderation problems ever. Which direction is he speedrunning the curve, exactly?
XX
Ex-X, you mean?
clbuttic rears its ugly head again
I guess this is just a more egregious form of the ol’ “clbuttic” problem again.
All major computer languages have utilities for rewriting specific parts of a subdomain, that allows pulling out each individual subdomain, that would prevent exactly this problem. That they’re apparently not being used here is a bad sign.
Too bad there isn’t a reasonable way to get permanent redirects percolated back to twitter/x, which would make it “just work” for all sites, not just twitter/x…
Next up, Musk files UDRP actions to take control of NetfliTwitter and seTwitter because they both are infringing on a trademark, spending a couple thousand dollars on the arbitration, when he could probably just buy the domains from the purchasers for $20 each.
Re:
That would be unexpected.
Re:
At first I flagged your comment as funny because ‘hah hah what a great and unbelievable joke’, however I wasn’t even able to get through the thought before that changed to ‘… actually that sounds like something he would and has if memory serves done’ so take an insightful vote as well.
Incompetence
This seems less about a lack of Trust & Safety, and more about devs who couldn’t program their way out of CS101. Is there a more common web dev issue than rewriting URLs? Probably, but not many.
One wonders if Elon himself is doing the back-end stuff at this point. I don’t see any other explanation for such an obvious and easily avoided screw-up.
Re:
I wouldn’t blame the devs. I’ve seen this play out many times. When the powers-that-be want something idiotic done, the options are “do it” or “find another job”.
Look at it this way: if Musk was capable of putting in the thought necessary to understand why his ideas are bad, he wouldn’t have bought Twitter in the first place.
Re: Re:
At this point that’s not even speculation, it’s a well-known aspect of Musk’s management style. He’s basically tweeted that himself.
Is it a global replacement? That is, does it affect the twittertwittertwitter top-level domain?
Re:
You. I like you.
Hey everybody, check out this completely safe-for-work link:
twittertwittertwitter.comI think we need to make a collection of all the sane (or smart… if there are any) things Musk has ever done. Not to praise musk or anything silly like that. But to deny it the ability to claim to be be perfectly terrible. Clearly they are running for “worse human ever”.
For example Musks decision to open Tesla’s patents was surprisingly sane. Hopefully that will prevent it from being immortalized.
This is unbelievably incompetent. I’ve built regexes more complex than this, and I’m an undergraduate student.
Re:
“I’ve built regeTwitteres more compleTwitter than this, and I’m an undergraduate student.”
FTFY
This breaks all kinds of other things as well
Some examples:
And so on. A lot of breakage, some of it dangerous, can result from doing the kind of blind string substitution that Twitter just did.
I suspect that Twitter’s engineers know this but were ordered to make it happen immediately no matter what by Musk, who has the patient judgment and impulse control of a 5-year-old, and who absolutely refuses to even attempt to learn from people with vastly more expertise.
This raises a question: what OTHER rash decisions have been implemented behind the scenes? Surely the number of those can’t be zero, even though we might hope for that. I suspect we’ll find out in good time and I further suspect that it’ll be when the consequences manifest themselves in unpleasant ways.
Re:
Dude won’t even learn from his own fuckups lol. Of course he’s not learning from anyone else.
Re:
Actually, the average 5-year-old has much better judgment and impulse control than Elmo’s shown thus far.
Dev 101 Rookie bug
This shouldn’t need to wait for the Trust & Safety team to catch after the fact. It’s a ridiculously stupid dev mistake that should never have come into existence. Idiots. Led by an idiot.
Re:
What Trust & Safety team. Elmo got rid of it because they kept getting in his way of removing all the safety of Ex-Twitter and thus destroying all the trust people used to have in it before he took over.
From the crowd of 'I don't care what pronoun you want me to use' comes...
And now he’s outright changing the content of user comments because he can’t stand that people keep calling it Twitter… I seem to recall a few people losing their minds over the thought of other platforms maybe doing that, I’m sure they’ll be just as outraged with Elon actually doing it.
It probably comes down to him firing all of the developers and wanting x feature shipped tomorrow.
So how long before Musk uses this technology to edit all Amazon/Walmart links on the site to add in Musk’s personal affiliate/referral code?
Shameful
Blindly changing “twitter” to “x” in URLs is just plain negligent programming. You shouldn’t even need a trust & safety team to recognize what a terrible idea that is. The stupidity is just mind boggling, But sadly, considering the root of the problem, not surprising.
Things like this (including the Scunthorpe problem and the clbuttic problem) are exactly why I never automate my search/replace when editing a document.
Sideshow Elon continues to step on rakes that everyone else told him shouldn’t be laid on the ground like that. In five years time, Twitter’s trust and safety team and policies will be back to where they were pre-takeover, after Elon has made every single mistake he can out of pure petulance.
Re: Firing excuse?
Seems more like an example for Musk to use as a reason to fire devs. He just says anyone who did this so obviously stupidly is incompetent and should resign immediately. No compensation or EDD support owed.
But on the upside they also managed to stop slapping the adult filter on every image if it had peen or not.
I’ll just sit here listening to the birds all X in my garden. X-chat X-chat, X-chat go the birds x’ing all the morning long.
Nobody is under any obligation whatsoever to use the garbage formerly known as Twitter, but it appears that many of us would rather continue their addiction to it while complaining loudly of its numerous flaws. Kind of like staying in a really bad marriage, where the only sex you DO happen to get is minus any foreplay or lubrication, and usually involving the wrong orifice. You get plenty of it, though…
Re:
Elon: How badly do I have to beat them before they leave?!