Clicking Links on X Is Not Safe
I think the kindest thing that can be said about X (the social network formerly known as Twitter) in 2024 is that it’s impressive that the site is still running. Sure, spambots are hijacking trending topics , hate speech is on the rise (X is suing the company that tracks him, by the way), and advertising volume is down significantly , but despite all of this, twitter.com still manages to load.
But the reasons to load a site at all continue to dwindle rapidly—and not just for the reasons mentioned above. Because now it seems like it’s no longer safe to follow links on X.
You don’t know where that X link actually goes.
As security researcher Will Dohrmann noted , some messages on X appear to lead to a legitimate website but actually redirect to somewhere else. In Dohrmann’s example, an ad posted by verified user X claims to link to forbes.com . However, when Dohrmann clicks on the link, he goes to another link to open a Telegram channel that “helps people make the most profit in the cryptocurrency market,” he said. In short, the Forbes link leads to cryptospam.
Attackers can achieve this thanks to vulnerabilities in how X handles URL previews. As BleepingComputer explains , X checks the final destination of the URL, rather than the source link itself, before generating a preview link on the site. This wouldn’t be a problem if users were actually directed to the link’s final destination every time. Unfortunately, this policy gives attackers the opportunity to trick people into clicking on links they would otherwise never click on.
All they have to do is set up two different URLs in their post. In the above case, clicking on the forbes.com link will actually take you to joinchannelnow.net. Once on this site, the server checks whether the request is coming from a regular browser (that is, from you). If so, you will be taken to a spam site, which in this situation is a Telegram channel for crypto scams. However, if the server detects that the request is coming from something else—for example, a bot checking X-links—it will assume that the request was not made by a human; in these cases it returns the legitimate URL. So even though the first link is “Join Channel Now”, X checks it, redirects to forbes.com and puts a preview of the URL in the message. Your experience will be different.
In short, it’s a security nightmare . This means that every link you see on X could potentially result in the site trying to, at best, spam you, scam you, install malware on your computer, or otherwise take advantage of you, at worst , all because you trusted the social media platform to show the correct link preview.
How to protect yourself when following links on X
The best X way to stay safe on X is to stop using X. Seriously, how many “last straws” are needed before we all realize that this place is no longer worth visiting? Spicy memes no longer justify the many downsides and risks.
Of course, many of us will still continue to use it (can’t say I haven’t yet), so some actionable steps will help. So when using X on your computer, always hover over the link preview before clicking it. Since you are using a web browser, you will be able to see the final destination of the link as a pop-up link preview, so you will know whether the link is valid or not. If you see something other than the link provided in the message, do not click on it.
Unfortunately, you can’t do this on a mobile phone, so to be honest, opening links to X on your phone probably isn’t a good idea. I’d like to say that you should only open links from accounts you trust, but since anyone who pays for X can now get a verification badge , it’s all too easy to be fooled by an account claiming to have the authority that not really. Remember, the account that posted the fake Forbes link has also been verified.