Stumbling Upon a Twitter Vulnerability

Reading privacy policies on websites and other legal documents are important. I have read Twitter privacy policy before but I wanted to make sure nothing had changed. GDPR was coming and seeing how they structured their page and spelled out the details seemed interesting. Starting on, I went right to the footer. Mouse over the Privacy link and NO click. It looked funny.

Twitter linked their Privacy and Terms and Conditions to a domain that looks like but was actually Most people would say, oh, fat finger. Typo. However, I held my breath.

If you were to go to the frontpage of you would have seen the proper URL. But on it was There were a few other pages where I found the same behavior.

What is the big deal? looks a lot like You see a lot of this in email domain spoofing attacks. The idea is a bad actor buys a domain very similar to the legit domain and then fools a user to click on a link. If a user is not careful, the bad domain may be designed to look exactly like the reputable domain. The deceitful site may ask you to login, therefore, you would be giving your login username and password directly to the enemy. And potentially malicious software (malware) could be put on your computer. The fact that Twitter could be linking to a possible bad domain seemed worrisome. Even if the bad domain was owned by a good person who didn't plan on doing anything evil, they could be victim of attackers going after their login credentials.

It could be bad BUT only if Twitter didn't own the domain.

The domain had privacy protection enabled so there was no way to know right away. Looking at the Name Servers and Registrar, they were both different from That doesn't mean it is not owned by Twitter–but it was time to find out.

According to the Twitter security team, they do own the domain. Wonderful. I can imagine they sit on lots of variations of their domain, which is sad, but necessary.

Twitter acknowledged the issue and was quick to fix it.

navigate_before navigate_next
Home Approach Focus Case Studies People Careers Blog Contact