Twitter seems to suffer a crucial design flaw that threat actors can exploit to target users. As discovered, the Twitter Cards feature seems vulnerable to manual manipulation by hackers. Exploiting the vulnerability can let an attacker target users with malware attacks, phishing and ad scams.
Twitter Cards Vulnerability
Reportedly, a Twitter Cards vulnerability can allow threat actors prey on Twitter users. The flaw primarily exists in the way Twitter Cards display shared URLs. Upon manipulation by an adversary, the tweet will show the Twitter Card for one website, whereas redirect to an entirely different site when clicked.
The issue first surfaced online when Terence Eden noticed the flaw when he actually came across a malicious tweet. What he encountered was a tweet promoting a cryptocurrency scam showing a CNBC link. However, it actually redirected to an entirely different website upon clicking. Eden shared his findings in a detailed blog post.
Twitter Cards is a rich media block offered when users link to a website. As described by Twitter,
With Twitter Cards, you can attach rich photos, videos and media experiences to Tweets, helping to drive traffic to your website. Simply add a few lines of markup to your webpage, and users who Tweet links to your content will have a “Card” added to the Tweet that’s visible to their followers.
Twitter explains further explains this feature by gathering metadata information from the sourced HTML pages via Twitterbot. That is where the problem exists.
In the absence of meta tags, when the spam website sees the Twitter Card Generator showing a preview of some other website, it will redirect to the other website. Eventually, the Twitter card will display the information from the site it landed on after redirection. Whereas, it will continue to link to the site originally sourced.
The Problem Still Persists
BleepingComputer recently confirmed that the problem still persists. They also verified this bug as demonstrated in their PoC. They could easily manipulate the Twitter Card to display Dropbox URL that actually redirected to their spoof page.
What’s more troublesome is that despite being known for at least a few months, the flaw remains unpatched. While it is also under active exploitation even before public disclosure. Moreover, it is also seemingly impossible to detect this card spoofing. Hovering over the Card will only show a shortened URL with no hints of the actual site. And, detecting this behavior with Twitter’s Card Validator is also not possible.
Therefore, one can guess the extent of dangers associated with this vulnerability. From spreading fake news to phishing scams and malware attacks, the malefactors can exploit this bug for any malicious activity.
Ironically, the same issue exists with Facebook as well. However, they acknowledge its existence as ‘intended behavior’.
As revealed via a tweet,
Facebook has the exact same problem, as in it only reads the <meta> tags and displays that on the cards, regardless of the actual website domain / title / etc
I reported it to them as a phishing vulnerability, they said it was working as intended 🤷🏻♀️ pic.twitter.com/NFdEmmvMrL
— avellar (@aveIIar) July 17, 2019
Presently, it is unclear if Twitter has any plans to fix this bug anytime soon.
Let us know your thoughts in the comments.