
Twitter accounts are being hijacked for spam - edent
https://shkspr.mobi/blog/2019/05/warning-do-not-click-on-twitter-ads/
======
tacosx
21 years ago was the first time I saw malware delivered over advertising on
the web. 1998. I started blocking ads by manually managing my hosts file that
day, for the most part I haven't look at ads since.

I'm still not sure why we're now basing our entire economy around advertising
crap to people that they don't want or need, the web was ad free and worked
great for many years before all this nonsense.

The fact that most all of the smart people in tech have been subsumed into ad
tech is one of the most depressing things I could have possibly imagined 21
years ago. What a massive misuse of resources.

~~~
Thorrez
>I'm still not sure why we're now basing our entire economy around advertising

I see 3 models for websites: completely donation based, advertising based, or
subscription based. Many sites would have trouble getting the donations they
would need to operate. Subscription based means only rich people can afford to
use it. Advertising means poor people get the same functionality as rich
people.

~~~
sandworm101
There have been some very interesting experiments in this area. Going back to
the 90s, smaller website once gathered together to form communities under a
single subscription fee. In some advanced groups each website was given a
share based on traffic. This allowed a single reasonable subscription to back
a great many independent websites.

As with most things on the internet, the porn industry did it first.

~~~
Thorrez
>a single reasonable subscription

That subscription might be reasonable for a middle class person in the US, but
way too expensive for the average person in a poorer country. Ads put everyone
on the same footing.

And if you want to do research on a topic across many different websites,
it'll happen that they won't all be in the same community, so you'll have to
pay subscription fees to many different communities, sometimes just for a
single page view.

------
Zelphyr
I had two accounts (done because at the time I didn’t realize you could change
your account handle); one I rarely used and one I used daily. I went to log in
to the rarely used one and the password didn’t work nor did recovery. It had
been hacked. Nothing I did could get it back and Twitter just shrugged and
said sucks to be me. So I cancelled the daily use one. Not just because of
that mind you. Twitter has become a cesspool anymore and I realized it was
making me unhappy more than it was contributing to my life. If, by some
miracle I manage to get the other account back I’ll cancel it too.

~~~
noitsnot
Maybe I'm doing it wrong, but I don't have time to find and filter out decent
followers. I signed up back in 2005 and couldn't tell you when it wasn't a
cesspool for awful posts and comments.

~~~
tomjakubowski
Twitter didn't launch until 2006, I thought. —an '07

~~~
noitsnot
You're right. I verified what my profile displays, so I can correct my signup
date as 2008. 10+ years isn't too shabby, though.

------
beager
One thing which I didn’t see clarified here was the deceptive CNN domain.
Either the preview card can be exploited to spoof CNN (bad on twitter) or
CNN.com has an open redirect (bad on CNN).

~~~
edent
The preview card can be exploited by Twitter.

Visit [https://cards-dev.twitter.com/validator](https://cards-
dev.twitter.com/validator) and paste in the spam URL there. You'll see that
the validator warns that it is being redirected, but follows it anyway.

CNN is blameless (as far as I can tell).

~~~
beager
So the exploit is fake site -> user-agent specific redirector -> CNN. That
would clear CNN.

I’m thinking through how Twitter would combat something like this. IMO they
would flag new domains for manual approval (or hey, require TFA for self-serve
ad accounts!) but both of these add to the cost and friction of their adtech.

Always a bummer when good security practice gets overruled by the need to
squeeze every cent of revenue they can.

~~~
rubyfan
Maybe twitter could show something on the card “CNN.com via
malicious.example.com”? Personally I like knowing when I’m clicking a tracked
or affiliate link anyway.

~~~
liability
I'm not sure how many people that would work for. If malicious.example.com
were some pithy little domain on a trendy ccTLD like bit.ly, I think most
twitter users would ignore it, assuming it was yet another URL shortener.

------
hombre_fatal
It's a good reminder that you can't just build the registration and on-
boarding processes to filter out spammers.

You have to ensure that the damage is limited and reversible even if your
trusted users (or worse, staff) are hacked or turn malicious. Though this
system is usually harder to build and generalize.

------
paulpauper
It's not that twitter is not doing anything , but that scamming people out of
crpyo currency and money is very lucrative owing to human gullibility and the
viralness of the twitter platform, so scammers have an incentive to keep
finding loopholes after twitter closes existing ones. And most scmamers fail
to bypass twitter security measures, so all you're seeing the ones who
succeeded. if 90 scammer fail and 10 find a loophole, then those 10 will
proliferate until twitter fixes it again. It's sorta like a virus that
acquires drug persistence.

------
amingilani
The guy whose tweets are being used as examples is still hacked and while this
discussion is going on has no idea how to fix his account.

The author could've used screenshots, but he wanted to use a live example, so
instead of giving the non-technical person a straight link to ads.twitter.com,
he just told him he'd written an article on the problem [0]

[0]:
[https://twitter.com/Fishblogger/status/1132737507827834885?s...](https://twitter.com/Fishblogger/status/1132737507827834885?s=19)

------
Sephr
This vulnerability is an intentional "feature" in Bing, Google, and Twitter.

1\.
[https://twitter.com/sephr/status/1056626456770428929](https://twitter.com/sephr/status/1056626456770428929)

2\.
[https://twitter.com/sephr/status/1055751684146655232](https://twitter.com/sephr/status/1055751684146655232)

------
anonymous5133
The big problem here is that people create accounts on multiple sites and then
reuse the username/passwords on many sites. Then, one of the sites gets
hacked, the database gets leaked with unencrypted passwords. Eventually this
database gets passed around the internet for anyone to use. Now people simply
go down the list trying to log in with these username/password combos on every
site.

------
alfiedotwtf
My account has been suspended in the past 2 weeks. Having gone through their
support page a few times, I have yet to receive an email about the reasoning.

I'll be setting up a Mastodon machine soon, deleting my Twitter account, and
making sure that my posts are forever owned by myself and my online voice
can't ever be taken away from me again.

------
CheckBlanket
The images are of type .webp which may fail to load in Safari (at least for
me), maybe have them in a more accessible format?

~~~
edent
My server is designed to serve webp only to devices which accept them. So
Safari should show jpg / png.

Obviously, if you load the image directly, it'll still be webp.

~~~
scrollaway
How do you do it? Looking at the code, it doesn't seem to be based on the
Accept headers or on figure/imageset tricks. UA sniffing?

~~~
edent
I'm using LiteSpeed Cache Management plugin for WordPress.

It has fiddled my .htaccess to

RewriteCond %{HTTP_ACCEPT} "image/webp" [or] RewriteCond %{HTTP_USER_AGENT}
"Page Speed" RewriteRule .* - [E=Cache-
Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]

But... now I think about it, I probably still have CloudFlare cacheing on.
Which means that won't get hit some of the time. Hmmmm.... Let's see if my
server can survive HN without a CDN.

~~~
nitrogen
You should be able to send a _Vary: Accept_ header to the cache to have it
cache all image types.

~~~
judge2020
If CF is caching, this won't work. [https://support.cloudflare.com/hc/en-
us/articles/217343117-W...](https://support.cloudflare.com/hc/en-
us/articles/217343117-What-headers-can-I-vary-the-cache-on-)

------
paul7986
I had a twitter account from 2007 to 2016; enjoyed using it. Though the email
attached to it I lost access to and Twitter doesn't care to help you get your
account back. I haven't used Twitter since!

~~~
toephu2
To be fair, how could they if you lost access to the only verifiable point of
contact associated with your Twitter account?

------
simonebrunozzi
Something similar happened to me on May 23rd, 2019 (three days ago) [0], where
I ended up losing my Twitter account.

Essentially, my t-mobile mobile phone number was hijacked (despite I had a
PIN, which the attacker didn't need - poor security practice by t-mobile), and
after that they proceed to change the password of my Twitter account using the
phone.

Thankfully I was close to a t-mobile shop in San Francisco, and ~40 minutes
later I regained control of my SIM card. Nothing else has been affected so
far.

FYI, T-mobile can't be sued for damage resulting from something like this. We
have to "thank" judge Scalia for this.

As of now, Twitter is slowly responding to my issue, despite I had a few
friends there try to help.

[0]:
[https://news.ycombinator.com/item?id=19998553](https://news.ycombinator.com/item?id=19998553)

~~~
mieseratte
> We have to "thank" judge Scalia for this.

Thank your legislature, not your judiciary.

