Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/eykrehbein/fake-og
https://github.com/eykrehbein/fake-og
Last synced: about 1 month ago
JSON representation
- Host: GitHub
- URL: https://github.com/eykrehbein/fake-og
- Owner: eykrehbein
- Created: 2023-12-02T21:39:54.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2023-12-03T13:11:00.000Z (about 1 year ago)
- Last Synced: 2023-12-03T23:23:32.166Z (about 1 year ago)
- Language: JavaScript
- Homepage: https://fake-og.vercel.app
- Size: 10.7 KB
- Stars: 24
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Phishing is too easy on 𝕏 (unfortunately)
Demo: [https://twitter.com/webeyk/status/1731073202346926367](https://twitter.com/webeyk/status/1731073202346926367)
This example may not be used for actions that violate the law or X's Terms of Service.
## What happens
Twitterbot goes to the posted link and looks at the `Location` response header to get
it's "real" URL (in case of redirects). That's why the posted URL doesn't have to be
to be the same as the URL of the OG image.
## How this enables phishing
Unfortunately, this approach enables potential phishing on X.
As a malicious actor, you could simply use an approach like the example in `/api/index.js` (shown below) to
to pretend to redirect to a URL that you do not actually redirect to.
```js
// Shows the x.ai OG image & URL in the tweet, but actually redirects to ChatGPT
app.get("/", (req, res) => {
if (req.headers["user-agent"].includes("Twitterbot")) {
res.setHeader("Location", "https://x.ai");
return;
}
res.redirect(301, "https://chat.openai.com");
});
```