Cory DoctorowSep 27, 2024
A pretty clever phishing email: I got a message warning me that my Twitter account was about to be suspended for suspicious activity, inviting me to click a button to prevent this. The URL the button went to *was* an x.com link, but it used a security vulnerability in Twitter's backend that allowed redirections to push me to an OATH server that would prompt me for my Twitter login and 2FA, and then send the attacker a valid token they could use to take over my account:
Show threadWinter Trabex

@pluralistic

In either Red Team Blues or the Bezzle, I don't remember which, Hench was thinking about security vulnerabilities. He said something said, "It's better if the box (the vulnerability) doesn't exist."

In this case, I'd say the vulnerability is you still having an account on Twitter. Nevermind that you hardly post there. The account itself is a risk.

Sep 27, 2024 at 7:03pmWeb
Show threadJames Bartlett Sep 28, 2024
@trabex
If you delete your Xitter account, then anyone can come along and create a new account with the same handle, and start pretending to be you. And we all know Musk won't do anything about it. So that's probably why @pluralistic still has an account there.