Faking Twitter unfurling to phish you

Judging from the comments, some are <i>really</i> confused on what&#x27;s happening here.<p>The real trick is that TwitterBot and you see different pages. For TwitterBot, which always clearly identifies itself (and some other signs like whether it is from Twitter&#x27;s network infrastructure), the flow is t.co -&gt; attacker.site -&gt; legitimate.site, and so shows in the card (technically called unfurling) the details of the legitimate site, including the coveted legitimate domain name. For you, the attacker.site detects that you&#x27;re <i>not</i> TwitterBot and do whatever phishing attempt they need to do. Of course, if you do check the domain name on your browser, it won&#x27;t work... but let&#x27;s be honest, that&#x27;s just a fraction of people here, not even including the general public.<p>Others ask why TwitterBot does redirections, and it seems that everyone here forgot that marketers <i>love</i> their Bit.ly and Sprinklr links so much that Twitter needs to have a concession here (and no, you can&#x27;t just whitelist them because some companies uses their own <i>different</i> shortlinks like t.co, fb.me, g.co, msft.it, redd.it, and youtu.be).<p>Why not just directly serve the redirection as seen by TwitterBot? Because a) marketers and analytics and b) because services like Branch (app.link) and Adjust <i>does</i> redirect users differently depending on their specific device (like Windows vs macOS vs Linux (or even a specific distro!) vs iOS vs Android).

This reminds me of a little joke link shortener I built[0] that allows you to set the various opengraph tags to the shortened url. This lets you completely fake the link preview generated by most platforms that show you one. Even though I originally built it as a joke, I find myself using it pretty often to make links &#x27;self-explanatory&#x27;.<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;radiantly&#x2F;the-redirector" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;radiantly&#x2F;the-redirector</a>

Why does this require the extra step of using a burner account? Why not tweet <a href="https:&#x2F;&#x2F;twitter-unfurl-faker.herokuapp.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;twitter-unfurl-faker.herokuapp.com&#x2F;</a> from your main account and that&#x27;s it?<p>Does Twitter only unfurl t.co URLs? If so, why would they write separate code for unfurling t.co with ?amp=1 vs without ?amp=1 ? And why would Twitter unfurl a t.co link past the first non-t.co URL? I guess that&#x27;s the vuln, right, that they don&#x27;t stop after the first non-t.co URL?

Is there any sort of within-a-page HTTPS &quot;secured&quot; function?<p>Like how banks have that &quot;only type your password if we show your correct profile picture&quot;. Almost like if embedded tweets could be &quot;signed&quot; by twitter in a way that would register in my browser in a graphical way that would not be known to the server itself (ie putting the twitter logo next to a tweet is easily faked). But if content appearing to be from twitter was verified instead, and had my custom chosen avatar next to each showing both my key and twitter&#x27;s key had signed the text.<p>Maybe not making sense, if anyone wants to play this back clearer go for it :)

They can add &quot;redirected from xyz&quot; to the card perhaps.

And also don&#x27;t trust this link: <a href="https:&#x2F;&#x2F;t.co&#x2F;MPesRJdK5y" rel="nofollow">https:&#x2F;&#x2F;t.co&#x2F;MPesRJdK5y</a>

Ok, but what&#x27;s unfurling? As far as I can tell, this is just tricking the thing that tells you the target domain of a shortened link? But if you clicked the link, you could just see the link though right. How is this fooling anyone?

Why would twitter trust the Location header and not just parse the URL given to them? This seems like a strange choice to rely on their backend lookup just to display the URL...

Trick’s on me, someone finally got me to look up what the heck some cryptocurrency thing is because this article made no sense otherwise.

You can do the same with VirusTotal. Check the UA, if it&#x27;s Virus Total, serve a legit page, if it&#x27;s non VT, serve the malicious one. Simple 301 redirects will be detected and presented to the analyst, URL rewrites wont.

This doesn’t make sense. Why doesn’t the Twitter bot serve the final site location after following all the redirects.<p>Then since the bot sees the correct site it redirects to the correct site

Why not do it the other way around? Serve a page without a redirect to the twitter-bot and detect if the header does NOT contain twitter to serve a redirect?

Firefox is doing a horrendous job of rendering the text on this site for me, on Arch Linux. Is it just me?<p><a href="https:&#x2F;&#x2F;i.imgur.com&#x2F;ZP9wC85.png" rel="nofollow">https:&#x2F;&#x2F;i.imgur.com&#x2F;ZP9wC85.png</a>

This is pretty dumb.<p>It&#x27;s like writing `[google.com](notgoogle.com)` and making out like its a significant security flaw or new idea.

Not really a logical phishing strategy, if the first domain looks safe and the attacker controls it, why wouldn&#x27;t they just use that to serve a phishing page? Instead of needlessly redirecting...<p>A better example would be to show &quot;google.com&quot; and somehow redirect to &quot;phishing.com&quot;... but that&#x27;s not really possible without control of &quot;google.com&quot;