[zinekeller]

Judging from the comments, some are really confused on what's happening here.

The real trick is that TwitterBot and you see different pages. For TwitterBot, which always clearly identifies itself (and some other signs like whether it is from Twitter's network infrastructure), the flow is t.co -> attacker.site -> legitimate.site, and so shows in the card (technically called unfurling) the details of the legitimate site, including the coveted legitimate domain name. For you, the attacker.site detects that you're not TwitterBot and do whatever phishing attempt they need to do. Of course, if you do check the domain name on your browser, it won't work... but let's be honest, that's just a fraction of people here, not even including the general public.

Others ask why TwitterBot does redirections, and it seems that everyone here forgot that marketers love their Bit.ly and Sprinklr links so much that Twitter needs to have a concession here (and no, you can't just whitelist them because some companies uses their own different shortlinks like t.co, fb.me, g.co, msft.it, redd.it, and youtu.be).

Why not just directly serve the redirection as seen by TwitterBot? Because a) marketers and analytics and b) because services like Branch (app.link) and Adjust does redirect users differently depending on their specific device (like Windows vs macOS vs Linux (or even a specific distro!) vs iOS vs Android).

[habosa]

So could Twitter make two requests, one as TwitterBot and one anonymously, and then add a warning if they don't go to the same place?

[pornel]

The attacker doesn't need to detect whether the TwitterBot is making a request. They can redirect every request to the spoofed site after posting the link, until the preview is generated.

[zinekeller]

That's what Google does sometimes - but it's sometimes considered rude. Plus, anti-bot software may accidentally thwart Twitter's checking bot.

[darkwater]

All true but the really bogus part IMO is that by default it would unfurl to the actual, bad URL but if you remove the &amp=1 param it unfurls to the good domain. Why is that?

[zinekeller]

I'm not really sure, ask Twitter since the amp=1 thing is just generated in their mobile website and application. This is definitely a guess, but maybe some websites implement AMP by checking the referrer and redirecting to it, and Twitter interprets that as "let's backtrack to the last page, that's the canonical version" and uses that?

[dannyw]

Security > marketers.

Whoever made this decision at Twitter should have a think about themselves.

[omegalulw]

> and no, you can't just whitelist them because some companies uses their own different shortlinks like t.co, fb.me, g.co, msft.it, redd.it, and youtu.be

It won't be terribly hard to build a top 50 list of url shorteners etc that cover the vast majority of the traffic.

[jabiko]

I think some URL shorteners allow editing the URL after creating a short link. So you are back to square one

[jcpham2]

If it stores the short link and destination url in a database that can be modified, yes.

[Ansil849]

> Others ask why Twitter does redirections, and it seems that everyone here forgot that marketers love their Bit.ly and Sprinklr links so much that Twitter needs to have a concession here.

As far as I know, users cannot view the metrics for t.co links, or am I mistaken about that?

[TheDong]

You misunderstand. "Why twitter does redirections" is "why does twitter follow Location headers to get unfurl info / metadata", not "why does twitter have t.co", and the reason is because marketers use bit.ly etc, so twitter has to follow those redirects.

Marketers/users cannot view t.co metrics, but even if they could, they'd want to use their own url shorters anyway I'm sure... so twitter has to have the t.co previewer follow arbitrarily many redirects.

[zinekeller]

> they'd want to use their own url shorters anyway I'm sure

Yes, a single dashboard to view their marketing campaign (which Bitly and Sprinklr among others provides) is a very attractive option for marketers to the point that I actually see shortlinks on companies' own website. I personally digress, but the simple fact is that these companies provide what the marketers want.