X fixes URL blunder that could enable convincing social media phishing campaigns

Poorly implemented rule allowed miscreants to deceive users with trusted URLs

Elon Musk's X has apparently fixed an embarrassing issue implemented earlier in the week that royally bungled URLs on the social media platform formerly known as Twitter.

Users started noticing on Monday that X's programmers implemented a rule on its iOS app that auto-changed Twitter.com links that appeared in Xeets to X.com links.

Even though the Twitter.com domain is still active, used by many, and important pages such as its Help Center still rely on the domain, apparently it was imperative to the team that Xeet links simply must be on-brand.

The issue with this new feature was that it was implemented poorly, changing any mention of "Twitter" anywhere in a URL string to "x," which of course opened up a bag of security worms.

Users quickly realized the buggy implementation allowed them to freely publicize potentially malicious web pages. Posting a link to netflitwitter[.]com would be automatically changed by the X platform to display Netflix.com – a legitimate domain.

Crucially, however, if a user tapped on that link, which again was displayed to them as Netflix.com, they would instead be taken to the original link netflitwitter[.]com, a domain that was kindly picked up by a fast-acting Xeeter so it couldn't be used by bad actors.

The potential for abuse here would be rife, given the number of legitimate, well-known brands most people would blindly trust. Netflix, Plex, Roblox, Clorox, Xerox – you get the picture.

That's not even considering the potential for abuse of X-rated sites horned-up users might be otherwise too flustered to double-check for authenticity.

Attackers could feasibly copy legitimate web pages to steal credentials, or skip the trouble and simply use it as a malware-dropping tool, or any number of other possibilities.

Unsurprisingly, X hasn't addressed this publicly – likely in an attempt to avoid drawing attention to the blunder. We've also given up following journalistic practice when it comes to trying to contact its press team.

For those not in the know, soon after Musk took over, he fired the PR team and set all inbound communications to its inbox to auto-reply with a poop emoji. Now it's just: "Busy now, please check back later."

Without any official account of the timeline here, we resort to searching past Xeets to see how long the error went unchecked. Based on various users' posts, it appears it was allowed to run for at least nine hours, but potentially longer.

According to tests at Reg towers on Wednesday morning, the issue appears to have been reversed. Netflitwitter[.]com now reads as such, but Twitter.com is auto-changed to X.com.

It appears that the Twitter-to-X policy doesn't apply when the domain is written in all-caps, but in every combination we tried we couldn't get the old trick to work. It seems properly fixed.

Nevertheless, it's an embarrassing blunder for the X devs that could have led to some nasty outcomes. ®

More about

TIP US OFF

Send us news


Other stories you might like