Shërby

@[email protected]
24 Followers
19 Following
51 Posts
Computer Science. Punk/Hip-Hop/Jazz. Let's discuss how to improve the internet
ShërbyDec 18, 2022
postmodernDec 16, 2022

Report back from Twitter filter fuzzing.

What Twitter is blocking

  • Twitter is filtering links to known Mastodon instances, but still allows direct links to joinmastodon.org. The filtering seems to happen whenever Twitter's WYSIWYG editor recognizes a valid domain name and that domain happens to be a known Mastodon instance.
  • Twitter also allows linking to shortened URLs of mastodon profiles, but only once. Posting the shortened URL a second time doesn't work, implying there's some backend queue service that's checking the Location header of links and flagging the ones redirecting to Mastodon instances.

How to evade the filters

  • Email address spam evasion techniques work. Replacing '.' with ' . ' or [.] or [dot] all work.
  • URI encoding the hostname. Replace at least one of the characters in the hostname with it's URI encoded version (ex: . -> %2E, https://infosec.exchange -> https://infosec%2Eexchange). Browsers are smart enough to URI decode anything you copy/paste into the address bar.
  • data: URIs. Twitter does not seem to check base64 encoded data: URIs. It is possible to create a data:text/html;base64,... base64 encoded HTML URI which can be copied into the address bar and will render as HTML. While Twitter will not render data: URIs (for obvious reasons), you can still copy/paste them (at your own risk, of course).
  • Base64. This seems silly, but we could communicate freely on Twitter by simply Base64 encoding our tweets. This could be accomplished via some Chrome extension.

Twitter's anti-Mastodon filtering is clown shoes amateur hour.🤡​

Edit: as many have pointed out, adding a Mastodon link to the alt-text of your background image presumably still works, encoding the link as a QR code works, setting your Location or Display Name to your mastodon handle works. I only tested links to Mastodon instances in tweets.
Edit 2: someone setup a link shortening service that explicitly blocks Twitter from checking the links which seems to be working: https://spacekaren.sucks/
Edit 3: Twitter has now formalized it's Mastodon censorship policy: https://help.twitter.com/en/rules-and-policies/social-platforms-policy
Edit 4: now that I'm trending on HN, I should link to this other researcher on YouTube who did a much more in-depth analysis of Twitter's JavaScript and API requests: https://www.youtube.com/watch?v=oHg5SJYRHA0&t=1s

#twitter #birbsite #censorship #filtering #evasion #elmo #muskrat

Space Karen Sucks

Free speech really should be free. To bypass the new censorship regime at twitter, use this URL shortener to link to Mastodon or other censored destinations. Considering recent policy decisions on twitter, please be aware that use of links generated from this site may constitute a violation of their policy.

ShërbyJun 30, 2018
Strawberry ToobJun 29, 2018
ShërbyJun 22, 2018
@paul and to finish, this kid made a mixtape with some of the madvillainny beats and it's amazing. https://www.youtube.com/watch?v=5qKBs7QO_K8
A-F-R-O 'A-F-R-O DOOM' (Official Mixtape)

YouTube
ShërbyJun 21, 2018
@paul also, everyone knows ghostface killah, but not everyone has heard the badbadnotgood collab, sour soul. Highly recommend.
ShërbyJun 21, 2018
@paul MED and Blu, maybe ? I assume you know quasimoto and so on. It's a bit off that sound, but open Mike eagle is amazing, you should check him out.
ShërbyJun 5, 2018
on the subject of #github: Is #gitlab the only recognisable alternative to have my code ? Github serves as a CV for me, especially rn that i'm looking for a new job. Even HR recognize GitHub. The thing is, all these services don't seem trustworthy, and i want my code somewhere safe and reliable.
ShërbyJun 5, 2018

@tinker personally, I would love to see that.

I think making the first one public would suffice. I assume you need alot of toots to share a pentest, and if you CW the first one with #pentest or something, it should be easy enough to identify when scrolling the timeline.

ShërbyJun 3, 2018
@jeff I had a couple of friends who tried a different approach: look for errors in websites, such as design problems for web devs, or for vulnerabilities in their services. Then suggest a good way to fix it and email them.
ShërbyJun 3, 2018
@jeff ok so, try to get the emails of the people who work in HR and email them directly. If you went/go to college, they usually publish offers in some mailing list or wte. Also, jobshops are really good places to pitch yourself to a company.
ShërbyJun 2, 2018
@jeff I have no experience with that, so I can't tell you. Are in you IT ? Because where I live, we are hunted, not the other way around. Are you sure you need to get through automated HR ? Perhaps you need to send cv's to different kind of companies