Hashtag Steganography

by @edent | # # # | Read ~244 times.

Steganography (/ˌstɛɡəˈnɒɡrəfi/ is the practice of concealing a file, message, image, or video within another file, message, image, or video. I recently saw someone tweeting the hashtag #ManchesُterDerby Do you see an odd character in the middle? It's an Arabic Damma (U+064F) - a vowel character. Although it comes after the "s" in Manchester, it…

Continue reading →

Why doesn't Twitter block Tweets properly?

by @edent | # # | Read ~107 times.
A quote tweet. The quoted content is unavailable.

For the sake of my mental health, I've blocked a few people and organisations on Twitter. They can't see what I do, and I can't see them. I'm sure you've done the same to a celebrity or pundit you just can't stand the sight of. Perhaps you have an abuser you'd rather not have thrust…

Continue reading →

Sending 1.2 Million Tweets

by @edent | # # | 1 comment | Read ~7,031 times.
A beautiful blue sky with scattered clouds. Text reads 2586 Watts - 68% battery.

Back in 2014, I set up a rather silly Twitter account - @OxfordSolarLive. The premise was simple. A camera took a photo of the sky above my house. It took a reading from my solar panels to see how much electricity they were generating. It superimposed the reading on the photo. Then posted it on…

Continue reading →

Warning - do not click on Twitter ads

by @edent | # # # | Read ~2,896 times.
Picture of Richard Branson, encouraging people to deposit £250.

It seems that Twitter has lost control of its advertising system. This blog post will show you why it is dangerous to click on any Twitter advertising. Twitter ads have always been a bit crap, but I've seen a recent influx in outright scams. Let me step you through a couple of examples. A typical…

Continue reading →

Crypto Scammers Abusing Twitter Cards via Redirects

by @edent | # # # | 1 comment | Read ~521 times.
A spam advert on Twitter. The CNBC website is highlighted at the bottom.

Twitter has a problem with scam advertising. Rather than having humans manually check adverts for acceptability and authenticity, they let almost anyone promote anything. Whatever meagre protections they build in are rapidly evaded by the scammers. Let's take a look at an example of a promoted crypto-scam about Singapore. I'd say it was obviously a…

Continue reading →

$3k Bug Bounty - Twitter's OAuth Mistakes

by @edent | # # # # # | 5 comments | Read ~14,838 times.
A Twitter login screen. Highlighted is the information that it cannot access your DMs.

Imagine the scenario. You're trying out some cool new Twitter app. It asks you to sign in via OAuth as per usual. You look through the permissions - phew - it doesn't want to access your Direct Messages. You authorise it - whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and…

Continue reading →

Twitter's Secret "Guest Mode"

by @edent | # | Read ~22,501 times.
Twitter's guest mode displayed on a TV.

Twitter has an undocumented feature which lets you follow accounts without being logged in. Here's how I found it, and how you can use it. My crappy old TV has a crappy old web browser on it. One boring Sunday, I decided to see which websites worked and which didn't on a 6 year old…

Continue reading →

How to avoid JPG compression on Twitter

by @edent | # # # | 6 comments | Read ~14,971 times.
Screenshot of a graphics editor. One pixel has been removed from the image.

Update for 2019! Twitter have changed how they compress images. Some of the techniques in this blog post may be out of date. Let's talk image compression! Services like Twitter will often apply aggressive levels of compression in order to reduce their storage space and decrease download times. This can have negative consequences for usability…

Continue reading →

A curious way to break Twitter's search results

by @edent | # # # | Read ~173 times.
Screenshot of a tweet. The HTML is malformed.

(This isn't really a security issue, although I've disclosed it to the Twitter team.) "Fuzzing" is a computer science term which means "sending weird data into a program and seeing what happens." It's a useful way to see how your code can break in new and unexpected ways. It's particularly good at showing what a…

Continue reading →

An Animation of Every Emoji

by @edent | # # # # # | Read ~355 times.
A friendly looking chicken stares at you

The Video EVERY EMOJI! pic.twitter.com/2fCUqwu67c — Terence Eden (@edent) October 24, 2017 Download the WEBM version (19MB). The Process Mostly notes to myself, but I thought you lot might be interested 🙂 Get Every Emoji from Twemoji Twitter maintain the Twemoji Project - it contains high quality SVGs of every emoji. They generously make them…

Continue reading →