Once Again, ExTwitter Makes Links Dangerous; The Kind Of Thing A Trust & Safety Team Would Catch
Just a few weeks ago, we pointed out that the purpose of a trust & safety team is not, as Elon Musk falsely claims, to censor" users, but rather to make sure they're safe on the site. We were highlighting this in the context of Elon's site disguising posted links in a manner that made it easier for scammers to trick people into thinking they were going to a reputable site, when they were not.
It looks like things have gotten even worse on that front. As Matt Binder pointed out at Mashable, ExTwitter has been experimenting with forcing the word twitter" to change to x" throughout the app. This is because, since Musk's hasty change of names, which it was clear the company was unable to prepare for, the word twitter" still remains all over the app. So, it seems like Musk was getting fed up of being reminded of the old app (you know, the one that actually worked most of the time and didn't fall over every few days).
Scarily, this auto-change appears to happen even in the display of links in the iOS app, leading to crazy situations where people post domains with twitter" in them, and ExTwitter makes them appear like they're saying x."
But, this creates... a pretty massive security problem as the article describes:
Let's say someone owns the domain name NetfliTwitter.com." Why would they own that domain name? Because if X is automatically changing anything that includes Twitter.com" to X.com," then that means posting NetfliTwitter.com" on X would make it appear in posts as Netflix.com," the popular movie streaming service. And if a user clicked the linked Netflix.com" text that appears in that post, it would really take them to NetfliTwitter.com." Because while X is changing the text that the user wrote, the URL it links and directs to remains the same as the user posted.
This is a dream scenario for someone looking to steal passwords through phishing campaigns.
Luckily, two of the most popular domains that include a prominent x" that could be used in this manner for phishing have been grabbed by good samaritans (not ExTwitter, of course) to prevent them from being abused:
The example I just provided isn't a hypothetical either. Some users on X noticed this very problem and found that it could quickly be utilized by scammers, hackers, and other bad actors. X user @yuyu0127_ quickly registered the domain name NetfliTwitter.com" in order to prevent it from being weaponized and put up a warning page on the URL about the potential issues in X's changes.
This domain has been acquired to prevent its use for malicious purposes," reads the headline text on NetfliTwitter.com."
Another domain name seTwitter.com" was also registered due to its potential to be exploited as X would then change how the URL is viewed on the platform to sex.com." The X user, @amasato_mochi, who registered that domain name, also put up a warning page in order to put a spotlight on the issue.
Please be very careful not to access suspicious URLs," reads seTwitter.com. I will hold onto this domain for a year to prevent any harm."
But still, this is a hugely problematic feature," and the kind of thing that a good trust & safety team would have recognized before the product ever rolled off the line and was handed to everyone to abuse.
One key job of trust & safety is to red-team new features to think about how they might be abused and to prevent such abuses before they happen. But when you fire all the experienced trust & safety folks, you're going to continue to make these kinds of mistakes that make users way less safe, leading to significantly decreased trust.