postmodernDec 16, 2022

Report back from Twitter filter fuzzing.

What Twitter is blocking

  • Twitter is filtering links to known Mastodon instances, but still allows direct links to joinmastodon.org. The filtering seems to happen whenever Twitter's WYSIWYG editor recognizes a valid domain name and that domain happens to be a known Mastodon instance.
  • Twitter also allows linking to shortened URLs of mastodon profiles, but only once. Posting the shortened URL a second time doesn't work, implying there's some backend queue service that's checking the Location header of links and flagging the ones redirecting to Mastodon instances.

How to evade the filters

  • Email address spam evasion techniques work. Replacing '.' with ' . ' or [.] or [dot] all work.
  • URI encoding the hostname. Replace at least one of the characters in the hostname with it's URI encoded version (ex: . -> %2E, https://infosec.exchange -> https://infosec%2Eexchange). Browsers are smart enough to URI decode anything you copy/paste into the address bar.
  • data: URIs. Twitter does not seem to check base64 encoded data: URIs. It is possible to create a data:text/html;base64,... base64 encoded HTML URI which can be copied into the address bar and will render as HTML. While Twitter will not render data: URIs (for obvious reasons), you can still copy/paste them (at your own risk, of course).
  • Base64. This seems silly, but we could communicate freely on Twitter by simply Base64 encoding our tweets. This could be accomplished via some Chrome extension.

Twitter's anti-Mastodon filtering is clown shoes amateur hour.🤡​

Edit: as many have pointed out, adding a Mastodon link to the alt-text of your background image presumably still works, encoding the link as a QR code works, setting your Location or Display Name to your mastodon handle works. I only tested links to Mastodon instances in tweets.
Edit 2: someone setup a link shortening service that explicitly blocks Twitter from checking the links which seems to be working: https://spacekaren.sucks/
Edit 3: Twitter has now formalized it's Mastodon censorship policy: https://help.twitter.com/en/rules-and-policies/social-platforms-policy
Edit 4: now that I'm trending on HN, I should link to this other researcher on YouTube who did a much more in-depth analysis of Twitter's JavaScript and API requests: https://www.youtube.com/watch?v=oHg5SJYRHA0&t=1s

#twitter #birbsite #censorship #filtering #evasion #elmo #muskrat

Space Karen Sucks

Free speech really should be free. To bypass the new censorship regime at twitter, use this URL shortener to link to Mastodon or other censored destinations. Considering recent policy decisions on twitter, please be aware that use of links generated from this site may constitute a violation of their policy.

Show threadJulio J. 🀲Dec 16, 2022

@postmodern Got the idea from somebody else but adding a QR code with the link as your avatar is another way that works and it's "user friendly"

https://paquita.masto.host/@brucknerite/109523456624852467

Iván Rivera :veritrek: (@[email protected])

Attached: 1 image Como quiera que el pajarito en llamas está cortando todos los enlaces a #Mastodón, se me ha ocurrido poner el enlace a mi perfil como QR. También he etiquetado al Melón Mustio, por si acaso se anima a seguime por aquí :ablobpeekjohnny: Sería una pena que esto lo hiciera más gente.

Mastodon
Show threadAmericanScream

@j3j5 @postmodern

What's the best way to promote a Mastodon address? If you put a link to a specific server, and you don't have an account on that server, it won't give you the follow options (this is in the browser) - instead I have to go to my server and search on the username. Is there a less clunky, one-click way to work around this?

Dec 16, 2022 at 5:31pmWeb
Show threadJulio J. 🀲Dec 16, 2022

@AmericanScream There is no "native" one click way of doing it afaik. I know there are a few browser extensions that allow you to follow on one click between different servers. If you want to promote in Twitter, I think the best is to add the @username@instance so the migration tools can pick it up. If you want to do it on your own site, I guess you can ask the user for their instance and point them to your user there. Ex. https://c.im/@[email protected]

@postmodern

Julio J. 🀲 (@[email protected])

827 Posts, 604 Following, 125 Followers · #Backend engineer, #PHP & #Laravel tinkerer, #BotMaker I like #openData #science #urbanism #bikes and other weird things. ES 🌎 @[email protected] #GoodBots #BotsGüenos #fedi22 #tfr

Hachyderm.io