How a social network sends you to a site that you don't want to go to.
Users of the X social network face an unexpected problem: clicking on external links in posts, they do not get to the specified sites, but to completely different resources.
The situation raised concerns after it was discovered that an ad promising to translate to the forbes website[.<url>, in fact, redirects users to a Telegram account associated with questionable cryptocurrency schemes.
Example of redirection to a fraudulent account
The reason for this phenomenon is the way X handles previews of external links. Ideally, the preview should show the top (first) level domain that the link leads to. However, X tries to determine the final URL to which the user will be directed after a series of redirects, and this address is displayed in the preview. As a result, when clicking on the link, the user may not be where they expected.
The problem is particularly relevant for the mobile app X, where you can't "hover" over a link and see its real address, as you can do in a web browser on your computer.
Unlike X, Google Chrome shows the "first" destination when you hover over a link.
Preview URLs in Chrome X for the same link
As soon as a user gets to a fraudulent site, the server determines whether the request comes from a web browser or from a bot that is used to create a link preview. This is done by checking the HTTP User-Agent header in the incoming request.
The URL received from the bot is redirected to the website
The opportunity for such manipulations is used by various attackers, from the organizers of cryptocurrency scams to malware distributors, in order to hunt down unsuspecting users.
Users of the X social network face an unexpected problem: clicking on external links in posts, they do not get to the specified sites, but to completely different resources.
The situation raised concerns after it was discovered that an ad promising to translate to the forbes website[.<url>, in fact, redirects users to a Telegram account associated with questionable cryptocurrency schemes.
Example of redirection to a fraudulent account
The reason for this phenomenon is the way X handles previews of external links. Ideally, the preview should show the top (first) level domain that the link leads to. However, X tries to determine the final URL to which the user will be directed after a series of redirects, and this address is displayed in the preview. As a result, when clicking on the link, the user may not be where they expected.
The problem is particularly relevant for the mobile app X, where you can't "hover" over a link and see its real address, as you can do in a web browser on your computer.
Unlike X, Google Chrome shows the "first" destination when you hover over a link.
Preview URLs in Chrome X for the same link
As soon as a user gets to a fraudulent site, the server determines whether the request comes from a web browser or from a bot that is used to create a link preview. This is done by checking the HTTP User-Agent header in the incoming request.
- If the request comes from a web browser, then most likely a person clicked on the link, and the fraudulent site imperceptibly redirects the user to Telegram.
- When the server suspects that a bot or automated tool is being used to track redirects, the request is redirected to the actual Forbes article.
The URL received from the bot is redirected to the website
The opportunity for such manipulations is used by various attackers, from the organizers of cryptocurrency scams to malware distributors, in order to hunt down unsuspecting users.
