Report back from Twitter filter fuzzing.

What Twitter is blocking

• Twitter is filtering links to known Mastodon instances, but still allows direct links to joinmastodon.org. The filtering seems to happen whenever Twitter's WYSIWYG editor recognizes a valid domain name and that domain happens to be a known Mastodon instance.
• Twitter also allows linking to shortened URLs of mastodon profiles, but only once. Posting the shortened URL a second time doesn't work, implying there's some backend queue service that's checking the Location header of links and flagging the ones redirecting to Mastodon instances.

How to evade the filters

• Email address spam evasion techniques work. Replacing '.' with ' . ' or [.] or [dot] all work.
• URI encoding the hostname. Replace at least one of the characters in the hostname with it's URI encoded version (ex: . -> %2E, https://infosec.exchange -> https://infosec%2Eexchange). Browsers are smart enough to URI decode anything you copy/paste into the address bar.
• data: URIs. Twitter does not seem to check base64 encoded data: URIs. It is possible to create a data:text/html;base64,... base64 encoded HTML URI which can be copied into the address bar and will render as HTML. While Twitter will not render data: URIs (for obvious reasons), you can still copy/paste them (at your own risk, of course).
• Base64. This seems silly, but we could communicate freely on Twitter by simply Base64 encoding our tweets. This could be accomplished via some Chrome extension.

Twitter's anti-Mastodon filtering is clown shoes amateur hour.🤡​

Edit: as many have pointed out, adding a Mastodon link to the alt-text of your background image presumably still works, encoding the link as a QR code works, setting your Location or Display Name to your mastodon handle works. I only tested links to Mastodon instances in tweets.
Edit 2: someone setup a link shortening service that explicitly blocks Twitter from checking the links which seems to be working: https://spacekaren.sucks/
Edit 3: Twitter has now formalized it's Mastodon censorship policy: https://help.twitter.com/en/rules-and-policies/social-platforms-policy
Edit 4: now that I'm trending on HN, I should link to this other researcher on YouTube who did a much more in-depth analysis of Twitter's JavaScript and API requests: https://www.youtube.com/watch?v=oHg5SJYRHA0&t=1s

#twitter #birbsite #censorship #filtering #evasion #elmo #muskrat

Protip:

When designing a user interface, imagine some old woman using it, say Margaret Hamilton, and she's clicking your app's buttons and saying to you, as old people do,

"Young whippersnapper, when I was your age, I sent 24 people to the ACTUAL MOON with my software in 4K of RAM and here I am clicking your button and it takes ten seconds to load a 50 megabyte video ad and then it crashes

I'm not even ANGRY with you, I'm just disappointed."

@[email protected] not letting anything run javascript by default shortcuts this to:

1. click link
2. nothing fucking works ever, ctrl-w

TIL Chrome is scanning your files, including private folders, in the background as an anti-malware measure

https://twitter.com/swagitda_/status/979477998142476289

There’s currently no “off” switch, but apparently the devs reassure that scans are local and not “cloud” based. But this still has consent and privacy implications

https://mastodon.social/media/06tQAyjUs5p0q8myO3s