|
|
|
|
|
|
by voussoir
1691 days ago
|
|
|
I don't agree with your analysis. There are three domains at play: twitter-unfurl-faker.herokuapp.com, uniswap.org, and harrydenly.com. The first is the real link, the second is what Twitter's link previewer gets redirected to, and the third is where the user gets redirected to. It seems to me that the author does not need control over the second domain, just the first and third. But the user will never see the first URL, only the second. |
|
|
The attacker doesn't need control over uniswap.org or harrydenly.com to make this work.
They only need control of harrydenly if they want to serve a phishing page. But as I said above this is redundant and they could just use this domain to also serve the redirection. Example below:
* (Twitter bot) phishing.com -> redirects -> fishtanks.com
Twitter bot makes shortened link t.co/aaa (but the preview shows fishtanks.com)
* (User) t.co/aaa -> phishing.com