It’s Not Safe to Click Links on X

It’s Not Safe to Click Links on X


I think the kindest thing you can say about X (the social network formerly known as Twitter) in 2024 is that it’s impressive the site is actually still up and running. Sure, spam bots take over popular threads, hate speech is on the rise (X is suing the company tracking it, by the way), and advertising is way down, but despite it all, twitter.com still manages to load.

But the reasons to bother loading the site at all continuing to dwindle, and fast—not just for the aforementioned reasons. Because now it seems like it’s not even safe to click links on X anymore.

You don’t know where that X link actually goes

As noted by security researcher Will Dormann, some posts on X purport to lead to a legitimate website, but actually redirect somewhere else. In Dormann’s example, an advertisement posted by a verified X user claims to lead to forbes.com. When Dormann clicks the link, however, it takes him to a different link to open a Telegram channel that is, “helping individuals earn maximum profit in the crypto market,” he said. In short, the “Forbes” link leads to crypto spam.

Bad actors can accomplish this thanks to the vulnerabilities in the way X handles URL previews. As BleepingComputer explains, X checks the final destination of the URL, rather than the initial link itself, before generating a preview link on the site. That wouldn’t be a problem if users actually are led to the final link destination every time. Unfortunately, this policy gives bad actors an opportunity to trick people into following links they never would have otherwise clicked on.

All they have to do is set up two different URL destinations in their post. In the case outlined above, clicking the forbes.com link actually takes you to joinchannelnow.net. Once on this site, the server checks to see whether the request is coming from a typical browser (that’s you). If so, it’ll take you to the spam site, which for this situation is a crypto scam Telegram channel. However, if the server detects the request is coming from something else—like a X link-verifying bot—it’ll assume the request is not being made by a human; in these cases it returns a legitimate URL. So, even though the first link is to joinchannelnow, X checks it and is taken to forbes.com, and so it places that URL preview on the post. You’re experience will be different.

In short, this is a security nightmare. It means every link you see on X could potentially lead to a site trying to spam you at best, and scam you, install malware on your machine, or otherwise take advantage of you at worst, all because you trusted a social media platform to show the proper preview for a link.

How to stay safe clicking links on X

The best X to stay safe on X is to stop using X. Seriously, how many “final straws” are necessary before we all realize the place isn’t worth visiting anymore? The spicy memes no longer justify the many, many flaws and risks.

Of course, many of us will keep using it anyway can’t say I’m not still there), so having some actionable steps to take will help. So when using X on a computer, always hover your cursor over the link preview before clicking it. Because you’re using a web browser, you’ll be able to see the final link destination appear as a pop-up link preview, so you’ll know whether a link is legit or not. If you see something other than the link the post claims it to be, don’t click it.

Unfortunately, it isn’t possible to do this on mobile, so, honestly, it’s probably not worth opening links on X on your phone. I’d like to say you should only open links from accounts you trust, but since anyone who pays for X can now get a verification badge, it’s way too easy to be tricked by an account claiming to have authority it doesn’t. Remember: The account that posted the fake Forbes link was verified, too.



by Life Hacker