A long standing Twitter issue allows bad actors to manipulate tweets so that they appear to contain content from one site, but actually link to a completely different one. This enables creating tweets that look like legitimate articles from well-respected sites, but actually link to pages serving phishing, malware, or scams.

Whenever you share a new link in a tweet, Twitter will send a bot to the linked web page and check for special meta tags in the HTML source. If these tags exists, Twitter will use the information in the page to create a rich media block called Twitter Cards that is filled with additional text, images, or video.

Bad actors, though, can manipulate how Twitter accesses a linked to page so that the Twitter cards are created from metadata found on another site.

Issue has been exploited

Terence Eden discovered that a problem occurs when a page linked in a tweet monitors for the Twitter Card Generator's user agent of "Twitterbot/1.0." If the user agent is detected, it will redirect the bot to a different page; otherwise, it will display the normal content.

When the Twitter Card Generator is redirected, it will use the metadata on the page it landed on to create the Twitter Card. While the card will look like it came from the redirected site, it will still link to the URL originally posted in the Tweet.

As you can see, it is easy to see how this could help malicious actors.

Eden found this after noticing a promoted tweet from an account that currently has a low follower count and an even smaller list of followers.

The tweet was a cryptocurrency scam about Singapore and while the card showed a story from CNBC, clicking on it led to a completely different website.

Looking at the source code of the app, the redirect was revealed. Checking the link with Twitter's Card Validator also shows that the card is redirected to CNBC's website.

This could be an intended behavior to allow entities with a single brand but multiple domain names (international) to publish content and avoid confusion among their followers. Companies that use a proxy to collect statistics also benefit from this.

Great danger ahead

Misinformation is one of the risks stemming from this, but it can be abused for more dangerous activities. Phishing and malware are the most obvious perils.

Cybercriminals can launch a website prepared with meta tags for Twitter that describe a legitimate source and host all sorts of threats.

BleepingComputer has tested this theory and set up a proof-of-concept page that looks like Dropbox's login panel. With the proper metadata, tweeting a link to the demo page looks like this:

Clicking on the card takes users to a page on our site that looks just like Dropbox login at a cursory glance. The URL in the address bar and some elements in the interface betray the spoofing as we are not professional scammers.

If you want to see how the PoC behaves in Twitter, check out the tweet below. Provided a better text and a profile that appears more trustworthy, the attempt would fool a lot of people.

There is no easy way to discover that the card has been spoofed because the link does not show in the tweet (only when it is embedded); hovering over the URL shows in the browser only its shortened version from Twitter.

The same behavior is present on Facebook specifically in the interest of businesses, for the aforementioned reasons. When this was reported to them by Avellar, Facebook replied that someone determined to spoof a share displayed through their platform there are already ways to achieve it:

Facebook has the exact same problem, as in it only reads the tags and displays that on the cards, regardless of the actual website domain / title / etc



I reported it to them as a phishing vulnerability, they said it was working as intended pic.twitter.com/NFdEmmvMrL — avellar (@aveIIar) July 17, 2019

BleepingComputer reached out to Twitter for a statement about this problem and if it would be fixed in the near future but received no reply at the time of publishing.

h/t Maxim Leyzerovich