Billionaire Elon Musk has made numerous decisions since buying Twitter that highlight his lack of experience running a social network. He fired staff members that the company needed to rehire to keep the lights on, replaced verification with paid accounts, and changed the company name to "X." That last call has now led to another unforced error. In recent days, the service has started changing Twitter URLs into X URLs, which is a fraudster's dream.
You can almost sense the disbelief as X users realize how aggressively the site was changing URLs. This is more than simply masking a URL with a shortener service, which has been happening on Twitter and other sites for years. Musk and Co decided to make Twitter URLs look like X URLs, but they can't actually change those URLs. Browsers usually follow redirects, but there are plenty of tools that do not. Hence, you still have to go to "Twitter.com" to access "X."
As revealed in live testing, the service simply replaced any instances of "twitter.com" with "x.com." It didn't matter where in a URL that text appeared, which allowed for what are essentially URL spoofing attacks. As demonstrated by multiple X users, you could post a URL like "Netflitwitter.com," and the platform would display it as "Netflix.com." Click on it, and you will end up at Netflitwitter.com. Luckily, that domain has been purchased by someone to prevent its misuse in this way. According to Bleeping Computer, at least 60 domain names ending in "-twitter.com" have been registered in recent days. Most of them are defensive, like Netflitwitter.com.
Tweet (opens in a new tab)
The ability to make a malicious URL look legitimate is the first step in many malware and phishing attacks. By making it so easy to get fake URLs into people's feeds, X inadvertently gave a gift to scammers. It is only thanks to the efforts of X users demonstrating the security issues that the company realized its mistake. And this is really something that should have been caught when the site's owner also has a highly valuable aerospace firm called SpaceX. And yes, someone who is not Elon Musk owns "spacetwitter.com."
Despite the very clear security risk presented by this change, it took X about 72 hours to tinker with (and eventually mothball) the feature while we all watched. At first, it just banned the Netflitwitter domain that was being reposted as the main example, but then it tried to limit URL transformation to links that were on the Twitter domain. Currently, the site appears to have disabled the URL spoofing entirely. So, you can chalk this one up as yet another Musk-Twitter blunder.