[gitgud]

Not really a logical phishing strategy, if the first domain looks safe and the attacker controls it, why wouldn't they just use that to serve a phishing page? Instead of needlessly redirecting...

A better example would be to show "google.com" and somehow redirect to "phishing.com"... but that's not really possible without control of "google.com"

[voussoir]

I don't agree with your analysis. There are three domains at play: twitter-unfurl-faker.herokuapp.com, uniswap.org, and harrydenly.com. The first is the real link, the second is what Twitter's link previewer gets redirected to, and the third is where the user gets redirected to.

It seems to me that the author does not need control over the second domain, just the first and third. But the user will never see the first URL, only the second.

[gitgud]

As I understand it, the webserver at twitter-unfurl-faker.herokuapp.com just dynamically redirects based on the user-agent.

The attacker doesn't need control over uniswap.org or harrydenly.com to make this work.

They only need control of harrydenly if they want to serve a phishing page. But as I said above this is redundant and they could just use this domain to also serve the redirection. Example below:

* (Twitter bot) phishing.com -> redirects -> fishtanks.com

Twitter bot makes shortened link t.co/aaa (but the preview shows fishtanks.com)

* (User) t.co/aaa -> phishing.com

[yyyk]

>but that's not really possible without control of "google.com"

An open redirect bug in phished site should allow this scenario:

A) Set up the offending link, redirecting to the phishing.com site.

B) When receiving the twitter bot, redirect back to a safe page on the original site for the summary. I understand twitter shows either the original URL or the final URL, but doesn't care for phishing.com in the middle.

C) Don't redirect back for non twitter traffic, so they end up on phishing.com.

A complex scenario, but perhaps enough to show that redirect bugs also matter.

[genewitch]

Recent memory tells me Google has an issue and had another issue. You can have a Google.com page like google.com/awesomesite/

And earlier there was a Google redirector that was forgotten about and was being used to redirect to phishing sites.