Stumbling Upon a Twitter Vulnerability

Keith Koslowsky

blog header image

Reading privacy policies on websites and other legal documents are important. I have read Twitter privacy policy before but I wanted to make sure nothing had changed. GDPR was coming and seeing how they structured their page and spelled out the details seemed interesting. Starting on help.twitter.com, I went right to the footer. Mouse over the Privacy link and NO click. It looked funny.

Twitter linked their Privacy and Terms and Conditions to a domain that looks like twitter.com but was actually twittier.com. Most people would say, oh, fat finger. Typo. However, I held my breath.

If you were to go to the frontpage of help.twitter.com you would have seen the proper https://twitter.com/privacy URL. But on https://help.twitter.com/form it was https://twittier.com/privacy. There were a few other pages where I found the same behavior.

What is the big deal?

Twittier.com looks a lot like Twitter.com. You see a lot of this in email domain spoofing attacks. The idea is a bad actor buys a domain very similar to the legit domain and then fools a user to click on a link. If a user is not careful, the bad domain may be designed to look exactly like the reputable domain. The deceitful site may ask you to login, therefore, you would be giving your login username and password directly to the enemy. And potentially malicious software (malware) could be put on your computer. The fact that Twitter could be linking to a possible bad domain seemed worrisome. Even if the bad domain was owned by a good person who didn't plan on doing anything evil, they could be victim of attackers going after their login credentials.

It could be bad BUT only if Twitter didn't own the domain.

The domain had privacy protection enabled so there was no way to know right away. Looking at the Name Servers and Registrar, they were both different from Twitter.com. That doesn't mean it is not owned by Twitter–but it was time to find out.

According to the Twitter security team, they do own the domain. Wonderful. I can imagine they sit on lots of variations of their domain, which is sad, but necessary.

Twitter acknowledged the issue and was quick to fix it.

headshot

Keith Koslowsky

Engineer

Technology