Costco code of ethics:.1. Obey the law. 2. Take care of our members. 3. Take care of our employees. 4. Respect our suppliers. Ponder for a moment why Musk, Bezos, Ellison and Zuck run companies share none of these values.

Dude where’s my Chartio.

P.P.S They hide links from tweets too 🫠.That tweet contains a link to ' not and hovering shows '/ AzNOkFoo4F' with no hint of the original link whatsoever. Sigh🙃.

P.S. Despite reporting this 10 days ago. The domain in question is still operating (behind CloudFlare) and their X Developer account is still actively phishing user accounts. @XSecurity DM me if you want more details. Be safe out there!.

So what's the solution (for the OAuth flow)?.1. Approve all app name changes (new accounts and renames).2. Don't allow using non-validated domains in link/description. 3. Include a warning and a "report" link on those pages like Google does for Google Forms:

Because of two bad security choices (hiding links and allowing X Developers to impersonate Google) users are two clicks away from takeover of their accounts. Lame sauce!.

(note: twitter silently removed the www prefix inside the double quotes so you see "calendar . google . com" in the previous message instead of the "www . calendar . google . com" I actually typed.

At first glance this looks like it's a Google Calendar something something, but in reality it's actually a prompt to grant complete access to your twitter account to a malicious app named "Google Calendar" with the link " (bad link).

So what, you click a malicious link and then what. Well clicking that link leads you here:.

See for yourself:.run curl -Is (grep for location)

Also, redirects can change. This is my favorite editor:

This is a recipe for disaster:.1. The card and destination domain get cached.2. Twitter never (or rarely) refreshes that. 3. The real link is hidden from to the user.4. If the user hovers all the see is a tracking link.

At some point, some a designer or PM decided it would look prettier to hide the the actual link and only show the card. But only in DMs. If you hover on the link, just like with every link on Twitter, all you see is the shortened link.

In a tweet, the real link (e.g. is always shown inline while the destination domain fancy preview card (after following the redirect) are also shown. Like so:.

So X/Twitter has a problem -- people like url shorteners ( etc) but those services immediately redirect. Users want to show the fancy preview card for the destination link and not ugly real link.

If you accept the DM and reply, here comes the hook. The reply includes a link looks to be to Where do you think clicking on that link would take you? Not Google Calendar! How about: calendar-schedule dot xyz. Wat?

Here's the DM we got to @zeddotdev claiming to be someone from @TechCrunch. The user's profile (since deleted) had a a bunch of TechCrunch retweets and ~1000 followers.

There's a relatively well-crafted spear phishing campaign floating around to compromise X accounts. It exploits an X API security issue and stale previews of link preview cards to make things look almost legit. It all starts with a DM. .

RT @codeforamerica: Today’s reported decision to cancel the IRS’s free and easy to use Direct File program doesn’t align with what taxpayer….

The env_home crate is truly barebones: Check $HOME on unix, $USERPROFILE on windows and otherwise return None. Unlike env::home_dir and other fancy crates that add a libc/WinAPI dependency for fallback use, env_home just checks the environment, that's it.