ShërbyDec 18, 2022
postmodern

Report back from Twitter filter fuzzing.

What Twitter is blocking

  • Twitter is filtering links to known Mastodon instances, but still allows direct links to joinmastodon.org. The filtering seems to happen whenever Twitter's WYSIWYG editor recognizes a valid domain name and that domain happens to be a known Mastodon instance.
  • Twitter also allows linking to shortened URLs of mastodon profiles, but only once. Posting the shortened URL a second time doesn't work, implying there's some backend queue service that's checking the Location header of links and flagging the ones redirecting to Mastodon instances.

How to evade the filters

  • Email address spam evasion techniques work. Replacing '.' with ' . ' or [.] or [dot] all work.
  • URI encoding the hostname. Replace at least one of the characters in the hostname with it's URI encoded version (ex: . -> %2E, https://infosec.exchange -> https://infosec%2Eexchange). Browsers are smart enough to URI decode anything you copy/paste into the address bar.
  • data: URIs. Twitter does not seem to check base64 encoded data: URIs. It is possible to create a data:text/html;base64,... base64 encoded HTML URI which can be copied into the address bar and will render as HTML. While Twitter will not render data: URIs (for obvious reasons), you can still copy/paste them (at your own risk, of course).
  • Base64. This seems silly, but we could communicate freely on Twitter by simply Base64 encoding our tweets. This could be accomplished via some Chrome extension.

Twitter's anti-Mastodon filtering is clown shoes amateur hour.🤡​

Edit: as many have pointed out, adding a Mastodon link to the alt-text of your background image presumably still works, encoding the link as a QR code works, setting your Location or Display Name to your mastodon handle works. I only tested links to Mastodon instances in tweets.
Edit 2: someone setup a link shortening service that explicitly blocks Twitter from checking the links which seems to be working: https://spacekaren.sucks/
Edit 3: Twitter has now formalized it's Mastodon censorship policy: https://help.twitter.com/en/rules-and-policies/social-platforms-policy
Edit 4: now that I'm trending on HN, I should link to this other researcher on YouTube who did a much more in-depth analysis of Twitter's JavaScript and API requests: https://www.youtube.com/watch?v=oHg5SJYRHA0&t=1s

#twitter #birbsite #censorship #filtering #evasion #elmo #muskrat

Space Karen Sucks

Free speech really should be free. To bypass the new censorship regime at twitter, use this URL shortener to link to Mastodon or other censored destinations. Considering recent policy decisions on twitter, please be aware that use of links generated from this site may constitute a violation of their policy.

Dec 16, 2022 at 1:41pmWeb
Show threadpostmodernDec 16, 2022
Also, TIL you can put a meta-redirect inside of a data:text/html URI and it will indeed redirect. That will probably come in handy at some point.
Show threadpostmodernDec 16, 2022
Also TIL, <script> works just fine in data:text/html URIs, despite me having NotScript installed... Also remembering that one for later.
Show threadRichard CorfieldDec 17, 2022
@postmodern this sounds like a loophole that browser makers need to close. Could it be used for XSS?
Show threadpostmodernDec 17, 2022
@m0rjc not technically, the HTML/JS is rendered in it's own new context, so I cannot access any other website's context.
Show threadCC Hogan ✍Dec 18, 2022

@postmodern - I tried using a shortened URL using my own shortening system (not public) - didn't work. Not even the first time.

Also, using htaccess to redirect didn't work.

However meta "refresh" (not redirect) did work because Twitter only sees that file, not the final destination, as it were.

Add the following HTML to a blank html file:

<html>
<head><meta http-equiv="refresh" content="0; URL='https://your-mastodon-url'" /></head>
</html>

Show threadRileyDec 16, 2022
@postmodern "Twitter's anti-Mastodon filtering is clown shoes amateur hour" — An index of the fact that they are operating without proper staffing.
Show threadfuzzbizzDec 16, 2022
@jbomukti @postmodern Or the staff know precisely what they are doing.
Show threadWendy NatherDec 16, 2022
@postmodern @thegrugq Excellent work 😍
Show threadJulio J. 🀲Dec 16, 2022

@postmodern Got the idea from somebody else but adding a QR code with the link as your avatar is another way that works and it's "user friendly"

https://paquita.masto.host/@brucknerite/109523456624852467

Iván Rivera :veritrek: (@[email protected])

Attached: 1 image Como quiera que el pajarito en llamas está cortando todos los enlaces a #Mastodón, se me ha ocurrido poner el enlace a mi perfil como QR. También he etiquetado al Melón Mustio, por si acaso se anima a seguime por aquí :ablobpeekjohnny: Sería una pena que esto lo hiciera más gente.

Mastodon
Show threadAmericanScreamDec 16, 2022

@j3j5 @postmodern

What's the best way to promote a Mastodon address? If you put a link to a specific server, and you don't have an account on that server, it won't give you the follow options (this is in the browser) - instead I have to go to my server and search on the username. Is there a less clunky, one-click way to work around this?

Show threadJulio J. 🀲Dec 16, 2022

@AmericanScream There is no "native" one click way of doing it afaik. I know there are a few browser extensions that allow you to follow on one click between different servers. If you want to promote in Twitter, I think the best is to add the @username@instance so the migration tools can pick it up. If you want to do it on your own site, I guess you can ask the user for their instance and point them to your user there. Ex. https://c.im/@[email protected]

@postmodern

Julio J. 🀲 (@[email protected])

827 Posts, 604 Following, 125 Followers · #Backend engineer, #PHP & #Laravel tinkerer, #BotMaker I like #openData #science #urbanism #bikes and other weird things. ES 🌎 @[email protected] #GoodBots #BotsGüenos #fedi22 #tfr

Hachyderm.io
Show threadDegrowth or ExtinctionDec 16, 2022
@postmodern dont make this public... they will read it and block it.. :|
Show threadpostmodernDec 16, 2022
@ecosurrealism but then no one will know how to evade the filters. Filter evasion is an arms race. The end-game is forcing the filter-ers to give up, because there's simply too many variations and edge-cases to be able to block them all.
Show threadDegrowth or ExtinctionDec 16, 2022
@postmodern good point, i don't known the details of it all. but makes sense. hardware is expensive.. and makes #elonmusk loose more money! 
Show thread//AscorDec 16, 2022
@postmodern Putting the handle inside the "Location" field on your profile also works.
Show threadrnlgldDec 16, 2022
@postmodern I was wondering about that, communicating in base64. Good thing MelonSuk wants to increase post chars to 4K. That's a lot of garbage data to tweet and really bloat their databases.
Show threadJustin FagnaniDec 16, 2022
@postmodern I think the main goal must be to foil the automated follow list exporters like Debirdify. If so, there might be an arms race where exporters recognize more encodings and Twitter plays catch-up.
Show threadSheean SpoelDec 16, 2022
@justinfagnani @postmodern a link wouldn't even be needed, something like (@)[email protected] is enough
Show threadjmdembeDec 16, 2022
@sheean @justinfagnani @postmodern I ended up using :
Find me [at]
[My Twitter handle] [at]
[Purple app with the M on it]
[dot]
[social]
Show threadSheean SpoelDec 16, 2022
@jmdembe @justinfagnani @postmodern
2002: obfuscating addresses so the bots can't find you
2022: obfuscating addresses so the bots CAN find you
Show threadSnwdrftDec 16, 2022
Tesla engineers and h1-b indentured servants
Show threadhrbrmstr 🇺🇦 🇬🇱 🇨🇦Dec 16, 2022
@postmodern mastodon links work in alt-text images on Twitter (for now)
Show threadBrian HawkinsDec 16, 2022
@postmodern I just went to modify my handle and it wouldn't let me use brackets. Hopefully parentheses also work for evasion...
Show threadslurdgeDec 16, 2022
@postmodern I have the same conclusion. On top of that, it seems that once it's flagged, even if you change what the link points to, it will be still flagged. It's probable to be able to do the reverse, post a link that will later resolve to an instance.
In my experience, any short 301/302 to a known instance will be flagged instantly.
Show threadRairiiDec 16, 2022
@postmodern I remember base64 encoding posts on miiverse and getting bans for "illegal content" lol
Show threadJess 🏳️‍⚧️🇺🇦Dec 16, 2022

@postmodern

Heres another way: https://hachyderm.io/@hazelweakly/109522384580179668

Hazel Weakly :verified_trans: (@[email protected])

legit-elephant.lol/@yourhandle@yourinstance now works as a redirection that _should_ be unblockable by twitter... I think. it'll also work for: legit-elephant.lol/@yourhandle@yourinstance/$POST_ID So yeah, fuck it, I wrote the most ugly javascript redirection bullshit you've ever seen. LETS FUCKIN GOOOOOO #crimes #mastodon #hackyderm #hachyderm

Hachyderm.io
Show threadScott M. StolzDec 16, 2022
This is a concerning development.
Show threadCyber YukiDec 16, 2022
@postmodern If you edit this to add a Twitter CW, I'll boost it.
Show threadpostmodernDec 16, 2022
@yuki2501 done
Show threadDanielRigalDec 16, 2022
@postmodern So... Most of the developers were fired or quit and this is what he has those who remain wasting their time on? Now he is all over the News for this nonsense and this reduces Mastodon's public profile and stems the exodus exactly how? Absolute clown behaviour, and not just because of the technical ineptitude.
Show threadscreaming in digitalDec 16, 2022
@postmodern the @joinmastodon twitter account was banned yesterday
Show threadEffy EldenDec 16, 2022
@postmodern I encountered interesting behaviour. When I was posting links to blocked instance domains via regular URL shorteners, they appeared fine to me, but the tweets were not visible to any other account (other accounts would see "This tweet is not available")
Show threadEffy EldenDec 16, 2022
@postmodern example here. I've quoted the tweet that's hidden from everyone but the posting account https://twitter.com/EveryMastodon/status/1603691447487991810?cxt=HHwWhMDUjf63usEsAAAA
Every Mastodon Server on Twitter

“Lol, this tweet is being hidden from everyone but me.”

Twitter
Show threadCarnageDec 16, 2022

@postmodern why stop at base 64?

https://github.com/carnage/nosignal

A little toy project I built which implements signal protocol over copy & paste. :p

GitHub - carnage/nosignal

Contribute to carnage/nosignal development by creating an account on GitHub.

GitHub
Show threadOmer Preminger Dec 16, 2022
@postmodern Seen this? https://hachyderm.io/@hazelweakly/109522384580179668
Hazel Weakly :verified_trans: (@[email protected])

legit-elephant.lol/@yourhandle@yourinstance now works as a redirection that _should_ be unblockable by twitter... I think. it'll also work for: legit-elephant.lol/@yourhandle@yourinstance/$POST_ID So yeah, fuck it, I wrote the most ugly javascript redirection bullshit you've ever seen. LETS FUCKIN GOOOOOO #crimes #mastodon #hackyderm #hachyderm

Hachyderm.io
Show threadOliver Gassner Dec 16, 2022
@postmodern Also the encoding/decoding could be done by a plugin on machine? ;) Not to give anyone ideas ;)
Show threadWolfgang Müller (DE:er/EN:he)Dec 16, 2022
@postmodern Somewhat ironic that the self appointed champion of free speech pays people to find new ways of suppressing alternatives.
Show threadNika2022 🐶🎶🌐☕️Dec 16, 2022
@muellerwhh @postmodern Whoever fell for that marketing gigab his I'm feeling very sorry for
Show threadWolfgang Müller (DE:er/EN:he)Dec 16, 2022
@Nika2022 @postmodern Well, I was expecting something like that but not so quick and obvious.
Show threadClaude GohierDec 16, 2022
@postmodern
ROT13.
Show threadNika2022 🐶🎶🌐☕️Dec 16, 2022
@postmodern Someone shared with me just their mastodon acount link via DM and Twitter hit me with a malicious link warning. petty really petty
Show threadThommyDec 16, 2022
@postmodern I bet whoever implemented it deliberately left holes in it out of laziness and knowing that it's a bad idea.
Show threadJonbjohnsDec 16, 2022
@postmodern I'm sure it passed elon's code review
Show threadClifton RoystonDec 16, 2022

@postmodern

Another Mastodon user observed that alt text isn't being scanned, so you can post a screenshot of your Mastodon address and then put the address in the alt text.

Show threadMichał "rysiek" Woźniak · 🇺🇦Dec 16, 2022
@postmodern good stuff, thanks!
Show threadViktor Tokariev 🇺🇦Dec 16, 2022
@postmodern FYI @davywtf
Show threadViktor Tokariev 🇺🇦Dec 16, 2022
@postmodern thanks for reseaching that
Show threadWernerDec 16, 2022

@postmodern
Also not filtered:
QR-Codes and ALT-Text

Example: https://twitter.com/wvs_muc/status/1603873131588116482

Werner (@[email protected]) on Twitter

“https://t.co/RhuCsyw5xX”

Twitter
Show threadBenj Soule🫂💙HumanityFirst🌅Dec 17, 2022
@postmodern who cares, lol.
Show threadpostmodernDec 17, 2022
@retrohondajunki it's an interesting challenge, but if you don't care then ignore it and go about your day.
Show threadRichard CorfieldDec 17, 2022
@postmodern I wonder how many remember ROT-13. That brings back memories of USENET.
Show threadpostmodernDec 17, 2022
@m0rjc I thought about ROT-13. It is vulnerable to plain-text attacks, so Twitter could filter for the ROT-13 of the various mastodon server names. However, we could then shift to ROT-n where n != 13, which would force Twitter to then have to filter all the ROT-n variations of all the mastodon servers. Filtering is an arms race, and you just have to get the other side to give up due to complexity.
Show threadpostmodernDec 17, 2022
@m0rjc also XOR with a single character, and then a multi-character key, is also on the table. We could instruct Twitter users to use CyberChef or some other free online XOR encryptor/decryptor website.
Show threadYingtaiDec 17, 2022
@postmodern I was also able to change my Twitter display name to my Mastodon username. https://zirk.us/@yingtai/109528240337006284
Yingtai (@[email protected])

Attached: 1 image Loophole in Musk's censorship of all things Mastodon: I couldn't post a link in a tweet or profile bio, BUT I was able to change my Twitter display name to my Mastodon username yesterday. #TwitterMigration services like Debirdify (link below) should be able to work with this format. https://mstdn.social/@feditips/109332410803423486 #TwitterMigration

zirkus
Show threadLuca Hammer ENDec 18, 2022
@postmodern Automated tools like #fedifinder and #debirdify recognize fediverse handles in the @<user>@<instance.tld> and <user>@<instance.tld> format. Both are just Text for Twitter and aren't blocked. Additionally users can easily copy them and paste them to the search of their instance to find, view and follow the account.
Show threadAdam CrainDec 18, 2022

@postmodern
It's interesting they are putting this much effort into it.

The best way to bypass this though is...STOP USING TWITTER.