Mastodawn

"A security researcher uncovered a Twitter vulnerability in its link shortener. The vulnerability allowed an attacker to craft a malicious URL that, if a user clicked on it, would grant the attacker access to the user's account. The researcher reported the vulnerability to Twitter's bug bounty program, which closed the report as not worthy of a bug bounty. So the researcher published the vulnerability. Immediately Twitter takes its link shortener offline for hours while they fix it.But the press is only reporting on an hours-long X/Twitter link shortener outage, and has completely missed the security issues that led to it.Molly White's coverage of the vulnerability (sorry for the Xitter link but that's just the problem, literally no one else is covering this): https://twitter.com/molly0xFFF/status/1734965774517768471 "

Disclosure: https://x.com/shoucccc/status/1734802168723734764?s=20

(All quoting a friend on a private slack)

Molly White (@molly0xFFF) on X

twitter not paying whitehats. what could go wrong? this one just disclosed a vulnerability that would have allowed people to gain control of the twitter accounts of users who merely clicked malicious links

X (formerly Twitter)

RealGene ☣️Dec 14, 2023

@adamshostack
Reposting the content here so you don't have to get tainted:

Molly White @molly0xFFF

twitter not paying whitehats. what could go wrong?

this one just disclosed a vulnerability that would have allowed people to gain control of the twitter accounts of users who merely clicked malicious links

Imran Nazar ~ عمران نزر Dec 14, 2023

@RealGene @adamshostack

Don't suppose you can drag that post over to your Mastodon, @molly0xfff ? I was surprised to find it wasn't already crossposted here.

Molly White Dec 14, 2023

@Two9A i could, i mostly avoid posting about twitter stuff on mastodon because i get the impression people here are pretty sick of hearing about The Bad Place

@molly0xfff @Two9A Oh did you look at the @ on my post? 😂🤷

Champagne Dec 14, 2023

@molly0xfff
Nolite te Bastardes Carborundorum

Champagne Dec 14, 2023

@molly0xfff
Also, those people could just filter Twitter and never see it. I don't understand the users that complain rather than using the tools afforded them!

Jeremy Nickurak Dec 14, 2023

@molly0xfff @Two9A I think best practice there is to either hashtag it with #twitter or #birdsite (optionally putting it behind a content-warning with those).

Then you get the best of both worlds - the content and conversation that comes from it is in a place other than somewhere Elon controls access, and folks who really don't want to see it can hide easily.

Molly White Dec 14, 2023

@atrus @Two9A voila: https://hachyderm.io/@molly0xfff/111580812931049852

Molly White (@[email protected])

Attached: 4 images twitter not paying whitehats. what could go wrong? this one recently disclosed a vulnerability that would have allowed people to gain control of the twitter accounts of users who merely clicked malicious links #twitter #birdsite

Hachyderm.io

kat 🌻Dec 14, 2023

@molly0xfff @atrus @Two9A Thanks!

Ω 🌍 Gus Posey Dec 14, 2023

@adamshostack If it's happening on X, I don't care what they're doing. Anyone still using that service deserves what they get.

SpaceLifeForm Dec 14, 2023

Reminds me to note that you do not need to use a link shortener on #Mastodon

And, now you why you should not.

@[email protected]

hXXps://t.co/elon

Stu Duerson, machina exo deus Dec 14, 2023

All declared bounty programs should be escrowed. As it is, they are sucker ploys, in most cases.

Anton Dec 15, 2023

@adamshostack molly's also here: https://hachyderm.io/@molly0xfff/111580812931049852

Molly White (@[email protected])

Attached: 4 images twitter not paying whitehats. what could go wrong? this one recently disclosed a vulnerability that would have allowed people to gain control of the twitter accounts of users who merely clicked malicious links #twitter #birdsite

Hachyderm.io

@antondollmaier Molly hadn’t posted his here because of scolds.

Anton Dec 15, 2023

@adamshostack which is sad and shouldn't be happening neither to her nor to others.

TheTomas Dec 15, 2023

@adamshostack Lesson learned? Next time, publish Zero Day!