In 1994, TSR published the Encyclopedia Magicka; unfortunately, at the last moment, an editor had changed mage to wizard. It fixed the use of "mage" in the text, but it also changed all versions of damage to dawizard and image to iwizard. Funny that Twitter actually did this live.
Why would anyone stop calling it Twitter? Just because one man decided not to call it Twitter that doesn't mean that the name changed, it is the same as if I start calling my car a Ferrari when it's in fact a BMW... No one else will call it Ferrari. The same thing with Facebook, it will always be Facebook because this is how people know it
@@notmyname998 I mean, if the *owner* starts calling it something else, then yeah that does mean that the name changed. The problem is that Elon Musk inexplicably doesn't seem to understand just how valuable a brand can be. You can't buy the name recognition that Twitter has/had, and he just went and tried to flush it down the toilet (or pour it down the sink, perhaps). Ironically, he failed precisely because of how much name recognition Twitter does have -- it has penetrated far too deep into the public psyche for anyone to call the site anything else. The fact that the site URL remained unchanged for so long didn't help either, nor did Elon's antics that made it so most people just refused to acknowledge this dumb vanity project of an "everything app" that he clings to like a security blanket.
I never would have guessed that laying off 75% of the staff, reorganizing the business, handing down functionality edicts, and running the company on shoestrings would result in lack of oversight and technical debt so egregious that it leads to easily exploitable feature creep on a monthly basis OH WAIT, YES I DID. MANY TIMES.
@4:20 , actually you can just pass the user / password to the real website and still log them , the end user is still none the wiser , nothing stoping you from running another website fully within your phising site , with input logging
To do so effectively and in a convincing way (not displaying a tab within a tab, not taking 10s+ to load, etc) would require a lot more effort & expertise than the average phisher has at their disposal...
The Muskrat gave the original Twitter staff a crappy ultimatum and most of them walked out. He's likely been struggling to hire experienced coders, because people with any shred of confidence refuse to work for him.
Poorly implemented, sure, but I’m not really sure where your getting “spiteful childish” from. A lot of the URLs that the website uses still has Twitter in them. It would be confusing for users if they saw Twitter as well as X. Rebasing all the URLs to go from Twitter to X retroactively is the slower, more expensive option. By displaying it like this, assuming it worked right, you can maintain the aesthetic cohesion while the underlying URLs need not be updated yet.
Reminds me of a Minecraft server I joined like 11 years ago that had a word filtering plugin to stop swearing Except they somehow configured it to change "hello" to "hekko" Presumably trying to prevent anyone from saying "hell"
obviously a bad bug, but completely ridiculous to say "I cannot imagine an experienced software engineer who wouldn't consider security vulnerabilities with URL rewrites". as a software quality professional, I have found COUNTLESS bad bugs from people who have been software engineers for 10+ years. bugs that reveal PHI, XSS bugs, bugs that bring down entire sites, etc
Most of the bugs or vulnerabilities that experienced software engineers add in are not intuitive and mistakes get made because it isn't an issue that is often encountered in regular development and require special consideration. Every software engineer is well aware of the limits of search and replace, it's the reason you always use "refactor" in your IDE instead of "find and replace". It's practically one of the first things you learn as a software engineer, when you try to change a variable name and it ends up changing a bunch of other stuff you didn't want it to as well. Extending that intuition to URL replacements is such a small logical leap. I'm a very inexperienced software developer and even I make sure to be extra careful when having to parse strings because there are always a ridiculous number of edge cases to account for (e.g. word extraction can't just look for spaces since punctuation exists and sometimes punctuation like single quotes are considered parts of words and sometimes aren't). It's one thing to leave in a segfault that didn't get caught because it happened to point to allocated memory while testing or even code injection vulnerabilities that weren't accounted for in the test cases and another to not recognize the potential issues with a full search and replace, especially when it apparently wasn't tested on edge cases before deployment (e.g. ensuring "netflitwitter dot twitter" not being replaced with anything since it should only replace second-level domain names and only "twitter" by itself). Even the simplest and smallest set of reasonably made test cases would have caught this bug. I might've accepted an experienced software engineer accidentally replacing top level domains with "X" since ".twitter" isn't really a valid domain, but replacing every instance of "twitter" even when it isn't the full domain name is a bit ridiculous, even for an inexperienced developer, let alone an experienced one.
@@VonVikoGoat well yeah, but you can only be cautious of dangers you're _aware of._ That's the issue for newer people: you can be as cautious as you want, but if you didn't know that something is a possibility, you can't viably protect against it.
That's why you should use a password manager with phishing detection where it automatically matches the domain against the URL stored in your passwords and thus only show the ones that match the domain.
Sadly the reason for the "no review" is much more trivial. It's very likely that people didn't want to "review" it than they actively didn't because everyone knew this was a bad idea, but the "person" who made the decision had a lot of power within the company and really, really, really wanted it. Because in general, there is absolutely no reason to implement this change and a waste of man hours. So they wanted to get this done, let the person who's making the stupid decision see it crash. And then get back to actual important work.
@@ladyalicent705 yeah I got you, I'm just saying he adopted Twitter and tried to force a new name on it. Because Twitter sure as heck didn't want to be renamed
TH-cam doesn't want you to know this, but here's a secret knowledge from the before time (literally couldn't post this without this preamble to throw off the bot): Men can't give birth.
I can imagine that this got into prod because it's considered a front end / visual change and it might have less strict review standards? Still wild that apparently whoever wrote this didn't realize the implications.
Im by far not the best programmer, but i think its fair to take the piss out of twitter for this considering how big of a company they are and how many people there are.
Stop spreading rumours. There was a thorough code review done. Everyone printed their code on paper, at least first 2-4 pages were peer reviewed, few LGTM were exchanged, and only then the code was merged in production.
Blatantly false and Twitter has run better than ever with the downsized team once all the bloat and hr department were removed. Elons twitter team has shipped more features than Jack has in the past 10 years.
@@Sammysapphira The company is doing terrible compared to how it used to. I mean imagine becoming the new CEO and the most significant thing you have to show for it a new competitor spawned and took a massive amount of your market share - something unthinkable years prior.
@@Sammysapphira Twitter is literally shit now, only bots on every post and the features are shit and get pulled back every 3 months. It's tragic how he fucked it up soo bad.
I don't think the Google page was that big of an issue, as long as you confirm that the sign in page that opened is with a Google domain, because if the app itself isn't made by Google, it only has access to Google's OAuth flows (and any other permissions you share in the screen after the login), and OAuth is pretty secure; you wouldn't lose your Google credentials just because a site got you to OAuth to them (I believe its a PKCE flow to be more specific, but I could be wrong). That being said, if you have to type in your password to a Google page, you'd better be sure that sign in page is by Google, even if the app itself isn't.
Haven't seen the vuln yet, but I've actually never heard of a CSRF! That's really interesting, definitely something to watch out for that never got covered in my security classes (or maybe I just missed those days, lol).
ok now that I have, that is PROFOUNDLY embarrassing. That's a mistake that I feel like anybody sandboxing the code could check, are they just shipping anything?!
musk has such an inflated ego and insecurity from people not calling the popular app it's original name that he accidentally created avenues for scams with shitty find/replace code
This is no different that allowing custom hyperlinks though. Twitter doesn't support rich test, so that change in functionality does result in a vulnerability, but most other social media sites have allowed rich text for years (including LinkedIn where you're reading that). So individuals should already be used to checking the actual URL on links. Effectively, it is a bug, and it is technically a vulnerability, but no more so than the rest of the internet **intentionally** allows.
Well when your criteria for keeping employees is lines of code written it follows naturally that you're going to keep employees who have to rewrite and correct code
I see everyone has gone onto take the piss out of Elon for the many many mistakes he made. The funny thing for me is this is because Elon decided Twitter should be called a letter. And now it's breaking people's tweets, because nobody calls the site by the letter. Of course, it's more complicated, like - read the other comments.
This is why I deleted my Twitter account very soon after Elon took over and fired most of the engineers. Especially after I learned 2FA broke immediately. As an engineer, I can only imagine the amount of details that are getting thrown out the window.
For the google webpage / login you showed, it's always good to check the certificate of the website, authority domains will have their own certs that are (usually) easy to recognize.
The review process having a lot of odd barriers to even getting to the point where someone is looking at it really sounds liek that usual corpo adversarial conditioning approach to things where they just add difficulty to some task they think should have some gravity to it rather than trusting anybody to make a good judgment, and in this case, it was going to be seen by someone doing the reviewing anyway. But in their mind, everyone is just going to be irresponsible and everything is a slippery slope because they have zero trust in their workers to have reasonable judgment. Just seems like usual corpo owner culture issues though. Twitter just seems like a bit of a circus though. :p
Just like the renaming failed since Elon didn't listen to marketing and UX experts, I wouldn't be surprised if this "solution" came down from the top without considering input from SWEs who know what they're doing.
Its the funny cause the possible causes really weren't all that unlikely for Twitter, I mean wasn't the Heartbleed exploit from like 2012~ an XSS exploit itself?
the "security vulnerability" is... hyperlinks? It's something you can do with any hyperlink feature? It's embarrassing code but not much of a vulnerability
Honestly, you call this trivial, but it's really not. It's fairly serious, especially for the normie market that doesn't even known what a URL is. This fix probably save tons of boomers and zoomers.
cross site what now? csrf who? i just assumed that twitter, since it was renamed x including the website, basically forced "twitter" to autocorrect to "x", especially with urls, without context.
In 1994, TSR published the Encyclopedia Magicka; unfortunately, at the last moment, an editor had changed mage to wizard. It fixed the use of "mage" in the text, but it also changed all versions of damage to dawizard and image to iwizard. Funny that Twitter actually did this live.
Lmao and this bugged version got printed? Coul have been 2 other substitution from fixing it as well.
This is why search-replace functions typically include a "whole word" option.
The iWizard pro max
newest apple devices leaked
A clbuttic mistake.
I love that everyone still calls it Twitter
Why would anyone stop calling it Twitter? Just because one man decided not to call it Twitter that doesn't mean that the name changed, it is the same as if I start calling my car a Ferrari when it's in fact a BMW... No one else will call it Ferrari.
The same thing with Facebook, it will always be Facebook because this is how people know it
@@notmyname998 I mean, if the *owner* starts calling it something else, then yeah that does mean that the name changed.
The problem is that Elon Musk inexplicably doesn't seem to understand just how valuable a brand can be. You can't buy the name recognition that Twitter has/had, and he just went and tried to flush it down the toilet (or pour it down the sink, perhaps). Ironically, he failed precisely because of how much name recognition Twitter does have -- it has penetrated far too deep into the public psyche for anyone to call the site anything else. The fact that the site URL remained unchanged for so long didn't help either, nor did Elon's antics that made it so most people just refused to acknowledge this dumb vanity project of an "everything app" that he clings to like a security blanket.
@@notmyname998 it's not even that, it's just that x is a dumb name and Twitter is less dumb
@@notmyname998 I prefer to call it Thefacebook 😎
Also true
would have been hilarious if they reversed it by replacing "x" with "twitter"
that would be etwittertremely funny
@@capsey_ that would be x.twitteryz funny
That would have been so etwitterciting to see!
Immediately registering TwitterVideos domain then.
setwitter
I never would have guessed that laying off 75% of the staff, reorganizing the business, handing down functionality edicts, and running the company on shoestrings would result in lack of oversight and technical debt so egregious that it leads to easily exploitable feature creep on a monthly basis
OH WAIT, YES I DID. MANY TIMES.
Good job man 🎉
lack of foresight*
and yet old Twitter was definitely worse than new Twitter.
@@cinex20Lack of any kind of sight*
Look at Elon, do you think he's actually smart enough to have hindsight?
@@fangirlmcIt wasn't. There were less pedos and extremists. Lol
The security team got fired because they weren't writing enough lines of code
This... actually sounds plausible.
@@antonliakhovitch8306This is what Elon said he did, so yeah
@@antonliakhovitch8306Some of Twitter's layoffs were literally decided based on numbers of lines of code. It's not just plausible, it's likely.
How to add more lines to your code, easy tutorial below
If(
1+1=2
) {
Live}
Else{
Die}
@@ExzaktVid ==*
@4:20 , actually you can just pass the user / password to the real website and still log them , the end user is still none the wiser , nothing stoping you from running another website fully within your phising site , with input logging
This is a few standard deviations above average scammer IQ
@@635574Rather, there's no need to bother. Once you've got their details, you've got their details.
Good to know.
To do so effectively and in a convincing way (not displaying a tab within a tab, not taking 10s+ to load, etc) would require a lot more effort & expertise than the average phisher has at their disposal...
@@EntityVsEntityInteractions wrong, setoolkit is open source and widely available
The Muskrat gave the original Twitter staff a crappy ultimatum and most of them walked out. He's likely been struggling to hire experienced coders, because people with any shred of confidence refuse to work for him.
S E C U R I T Y I S S U E I N B I O
lmao
that's fucking hilarious
a spiteful childish change AND its poorly implemented? nooo that doesnt sound like elon at all
Poorly implemented, sure, but I’m not really sure where your getting “spiteful childish” from. A lot of the URLs that the website uses still has Twitter in them. It would be confusing for users if they saw Twitter as well as X. Rebasing all the URLs to go from Twitter to X retroactively is the slower, more expensive option. By displaying it like this, assuming it worked right, you can maintain the aesthetic cohesion while the underlying URLs need not be updated yet.
This is what happens when you have Elon as your code reviewer 😂
Yeah because its the ceo reviewing the code 🤡
@@tiagorainho5011 fr lol
@@tiagorainho5011 Elon literally made engineers print out code and present it to him when he bought Twitter 😂. He's a known micromanager
@@tiagorainho5011You’re joking, but that is literally what happened.
@@tiagorainho5011delete this comment buddy
why do i feel like elon just went in and coded this himself
nah you are giving him too much credit, twitter would break if elon programed a single line
@@Luky.73 that honestly feels like just a bandaid ass weird bit of code that he couldve written.. like it sorta DID almost break stuff
Microsoft Azure password change page takes the crown on horrible UI that looks like phishing
I don't use azure, what are they doing? Do you have a TL;DR?
@@sehalessit’s a dev UI straight out of 2004
@@inverlock oof, hey, at least it's fast.. right?
Lmao it does, it looks so old. Theres a lot of little legacy items still kicking around in Azure/365
and Oracle's entire site
this is what happens when the company culture is "just do whatever dumb shit elon wants without asking questions if you dont wanna be fired"
Reminds me of a Minecraft server I joined like 11 years ago that had a word filtering plugin to stop swearing
Except they somehow configured it to change "hello" to "hekko"
Presumably trying to prevent anyone from saying "hell"
That's a known issue called the scunthrope problem.
@@brucewayne1777scunthorpe, not scunthrope. And of course, there's a ton of other towns with those types of names - Penistone for example.
@@brucewayne1777also seen frequently with penistone
@@brucewayne1777*Scunthorpe
@@brucewayne1777it's a clbuttic problem
obviously a bad bug, but completely ridiculous to say "I cannot imagine an experienced software engineer who wouldn't consider security vulnerabilities with URL rewrites". as a software quality professional, I have found COUNTLESS bad bugs from people who have been software engineers for 10+ years. bugs that reveal PHI, XSS bugs, bugs that bring down entire sites, etc
obviously that 10+ years of experience was _not_ in security for them XD
But in this case it wasnˋt a bug.
Most of the bugs or vulnerabilities that experienced software engineers add in are not intuitive and mistakes get made because it isn't an issue that is often encountered in regular development and require special consideration. Every software engineer is well aware of the limits of search and replace, it's the reason you always use "refactor" in your IDE instead of "find and replace". It's practically one of the first things you learn as a software engineer, when you try to change a variable name and it ends up changing a bunch of other stuff you didn't want it to as well. Extending that intuition to URL replacements is such a small logical leap. I'm a very inexperienced software developer and even I make sure to be extra careful when having to parse strings because there are always a ridiculous number of edge cases to account for (e.g. word extraction can't just look for spaces since punctuation exists and sometimes punctuation like single quotes are considered parts of words and sometimes aren't).
It's one thing to leave in a segfault that didn't get caught because it happened to point to allocated memory while testing or even code injection vulnerabilities that weren't accounted for in the test cases and another to not recognize the potential issues with a full search and replace, especially when it apparently wasn't tested on edge cases before deployment (e.g. ensuring "netflitwitter dot twitter" not being replaced with anything since it should only replace second-level domain names and only "twitter" by itself). Even the simplest and smallest set of reasonably made test cases would have caught this bug.
I might've accepted an experienced software engineer accidentally replacing top level domains with "X" since ".twitter" isn't really a valid domain, but replacing every instance of "twitter" even when it isn't the full domain name is a bit ridiculous, even for an inexperienced developer, let alone an experienced one.
in fact newer people tend to be more cautious. experience people are often arrogant and refuse to fix their mistakes
@@VonVikoGoat well yeah, but you can only be cautious of dangers you're _aware of._ That's the issue for newer people: you can be as cautious as you want, but if you didn't know that something is a possibility, you can't viably protect against it.
When you fire 80% of your engineers at once...
But the Musk fans were saying that all those tech employees who left weren't important, and that twitter will be fine regardless... 🤔
Twitter actually had XSS in the feed 3 years ago
There are many subdomains of Twitter , where XSS happens
@@dingus2332 dang!
You mean Tweetdeck?
@@dingus2332 Such as ? Any PoC ? Anything to back your claim lol? Do you have any previously documented PoC ?
@@al-ft1ng it's just a known thing ... They launch subdomains ,hunters with tools scan that new vulnerable subdomain and report them immediately
That's why you should use a password manager with phishing detection where it automatically matches the domain against the URL stored in your passwords and thus only show the ones that match the domain.
Examples of password managers with this functionality?
@@Z-of1zxpass, pretty much the standard on unix systems, does this.
bitwarden is a pretty good free one
@@Z-of1zx Android Password Store and gopass extension for browsers (uses the pass system)
@@Z-of1zx lastpass, 1password, keepass (with the browser extension). Honestly I think all of them have that
Sadly the reason for the "no review" is much more trivial. It's very likely that people didn't want to "review" it than they actively didn't because everyone knew this was a bad idea, but the "person" who made the decision had a lot of power within the company and really, really, really wanted it. Because in general, there is absolutely no reason to implement this change and a waste of man hours.
So they wanted to get this done, let the person who's making the stupid decision see it crash. And then get back to actual important work.
twitter used to have XSS on their desktop client, there was a self-replicating tweet going around for a couple of hours
Tweetdeck*
I remember the Tom Scott video on that one 😂
It was not an issue on an official Twitter product. That was a third-party client.
As a wise man once said: “If he can deadname his own daughter, we can deadname his goofy ahhh platform”
It ain't his, he just adopted it and tried to rename yet another of his children to something with an X in it
@@joshy541 I’m talking about Vivian, not XÆA-12
@@ladyalicent705 yeah I got you, I'm just saying he adopted Twitter and tried to force a new name on it. Because Twitter sure as heck didn't want to be renamed
Men can't give birth.
TH-cam doesn't want you to know this, but here's a secret knowledge from the before time (literally couldn't post this without this preamble to throw off the bot): Men can't give birth.
I can imagine that this got into prod because it's considered a front end / visual change and it might have less strict review standards? Still wild that apparently whoever wrote this didn't realize the implications.
Crazy because my first thought was linkedin is starting to look a lot like facebook
Elon Musk, living proof of the meritocracy! 🤣🤣🤣
Thanks for providing the link to the original post
You the best!
Im by far not the best programmer, but i think its fair to take the piss out of twitter for this considering how big of a company they are and how many people there are.
Just like a lot of changes since Elon took over, sounds like a change that was enforced from above. Guess someone is salty that nobody calls it X
Remember the self retweeting tweet?
All I know about web security is from Tom Scott, and it seems like I might actually be set for a while
"I'm sure they have best practices in place"
You mean like firing all of the people who know what they're doing cuz they're not needed supposedly?
It's giving "fired for not enough lines of code"
scared with the google part i actually used it and btw when are the systems design videos bro
Petition for neetcode to create web app security videos!
ehh like he said hes not a security expert. there's plenty of experts with full fledged courses out there tho
@@ExecutionMods yes I agree there are plenty of other courses out there, but the way this dude teaches is just 🔥🔥
@@aka5h_ra0 i agree i like his style of teaching a lot
Stop spreading rumours.
There was a thorough code review done. Everyone printed their code on paper, at least first 2-4 pages were peer reviewed, few LGTM were exchanged, and only then the code was merged in production.
This is what happens when Musk keeps his teams "lean innovative, and hungry for the next growth phase cycle"
Good. He's right. It's social fucking media
@@jonathanhoward1499security issues aren't a price I'm willing to pay for innovation
@@jonathanhoward1499in no way is he right. He is a complete moron. Reevaluate everything that lead you to say that
This is what happens when you fire most engineers and make the remaining sleep in office in order to work 120 hour weeks.
Blatantly false and Twitter has run better than ever with the downsized team once all the bloat and hr department were removed. Elons twitter team has shipped more features than Jack has in the past 10 years.
@@Sammysapphira The company is doing terrible compared to how it used to. I mean imagine becoming the new CEO and the most significant thing you have to show for it a new competitor spawned and took a massive amount of your market share - something unthinkable years prior.
@@Sammysapphira Every post is bots replying with engagement bait not related to the original content.
@@Sammysapphira Twitter is literally shit now, only bots on every post and the features are shit and get pulled back every 3 months. It's tragic how he fucked it up soo bad.
@@tapwater424And you think that is caused by Elon? How? Couldn't be just a coincidence?
I don't think the Google page was that big of an issue, as long as you confirm that the sign in page that opened is with a Google domain, because if the app itself isn't made by Google, it only has access to Google's OAuth flows (and any other permissions you share in the screen after the login), and OAuth is pretty secure; you wouldn't lose your Google credentials just because a site got you to OAuth to them (I believe its a PKCE flow to be more specific, but I could be wrong).
That being said, if you have to type in your password to a Google page, you'd better be sure that sign in page is by Google, even if the app itself isn't.
The XSS vulnerability actually happened years ago. Tom Scott made a video about it, and its called the self retweeting tweet
Haven't seen the vuln yet, but I've actually never heard of a CSRF! That's really interesting, definitely something to watch out for that never got covered in my security classes (or maybe I just missed those days, lol).
ok now that I have, that is PROFOUNDLY embarrassing. That's a mistake that I feel like anybody sandboxing the code could check, are they just shipping anything?!
it's grock becoming devin
Maybe Elon fired all the smart people yoo.
The smart people knew better than to stick around
smart people can get paid the same without the 100 hour weeks, so they've all left by now.
Worst part is he still works there.
You should never trust what's displayed anyway. Always check the mouse hover on a link.
That's such a... "PHP 5.6 newbie WordPress tinymce fork" kind of mistake.
I have no idea what any of this means
I bet you Musk said to do it this way and refused to listen to anyone who explained.
musk has such an inflated ego and insecurity from people not calling the popular app it's original name that he accidentally created avenues for scams with shitty find/replace code
LOL this SCREAMS "everyone who knew anything at Twitter has left the building"
This is no different that allowing custom hyperlinks though. Twitter doesn't support rich test, so that change in functionality does result in a vulnerability, but most other social media sites have allowed rich text for years (including LinkedIn where you're reading that). So individuals should already be used to checking the actual URL on links.
Effectively, it is a bug, and it is technically a vulnerability, but no more so than the rest of the internet **intentionally** allows.
"I'm sure they have best practices in place."
Hilarious misunderstanding of Elon's Twitter.
Why is he still pushing X, just such a stupid name.
because he's obsessed with it. He always wanted it and he pushes it into everything, even his own children's names.
Getting paranoid because buttons look funny?
That's everyday for me with my crappy connection...
setwitter
gay setwitter
another example of companies making useless changes instead of fixing real problems
On a less important note: petition to call the site Twitty if he finds a way to ban the term Twitter correctly
Elon Musk is truly a genius. I didn’t think it was possible to run such a massive company into the ground so fast and efficiently.
Well when your criteria for keeping employees is lines of code written it follows naturally that you're going to keep employees who have to rewrite and correct code
I see everyone has gone onto take the piss out of Elon for the many many mistakes he made. The funny thing for me is this is because Elon decided Twitter should be called a letter.
And now it's breaking people's tweets, because nobody calls the site by the letter. Of course, it's more complicated, like - read the other comments.
This is why I deleted my Twitter account very soon after Elon took over and fired most of the engineers. Especially after I learned 2FA broke immediately. As an engineer, I can only imagine the amount of details that are getting thrown out the window.
Lol, they've had hack bypassing 2fA years before Elon.
It was always a mess. You're just unable to moderate your bias here
@devstuff2576no, they deleted it because they could see that Elon was breaking things. That’s why they reference how 2fa broke on the site
@devstuff2576Skill issue
He didn't fire the engineers. He fires the slackgineers.
@@Sammysapphira really? And now they have a security issue. Looks like the 'slackgineers' doing the work.
twittervideos
Let's compromise. Xitter.
How many of the doxxers, swatters, and SJWs are gone?
What happens when you get rid of all your talent to save an extra penny.
"talent"
That is so goofy.
I gave you the 777th like, really enjoy your videos! (never done a leetcode question in my life)
How can we learn more about this type of stuff?
owasp is a good site to learn about this stuff.
Twitter has previously had XSS attacks...
Doing a text replace and not botheting to only match the real domains is just amateurish. Did an intern do this?
what if i told you that I can make the CSRF hack happen in twitter in few seconds?
and even better, make some random people follow some other random people.
@@hypermeero4782 is there no csrf tokens on their requests?
@@hypermeero4782 I'd ask you to do it
@@hypermeero4782 report it and they'll probably reward you
can you use it to make my twitter blow up 😊
For the google webpage / login you showed, it's always good to check the certificate of the website, authority domains will have their own certs that are (usually) easy to recognize.
The review process having a lot of odd barriers to even getting to the point where someone is looking at it really sounds liek that usual corpo adversarial conditioning approach to things where they just add difficulty to some task they think should have some gravity to it rather than trusting anybody to make a good judgment, and in this case, it was going to be seen by someone doing the reviewing anyway. But in their mind, everyone is just going to be irresponsible and everything is a slippery slope because they have zero trust in their workers to have reasonable judgment. Just seems like usual corpo owner culture issues though.
Twitter just seems like a bit of a circus though. :p
Just like the renaming failed since Elon didn't listen to marketing and UX experts, I wouldn't be surprised if this "solution" came down from the top without considering input from SWEs who know what they're doing.
This would've never happened at old Twitter because they never would've changed the name 🤦♂️
A clbuttic clbuttic mistake
i liked twitter but i stopped using it once elon took over. yikes
What NeetCode is new primeagen?
Not a chance. I actually learned a few technical concepts with Neetcode. I usually leave a primeagen's video wanting that hour back
Neetcode is 10x more beginner friendly
@@climber-fd1wwLMAO. This is actually true. I only watch primeagen when I want to eat something.
@@zweitekonto9654 yeah sooo true 😂
@@climber-fd1ww true, true, primeagen is simply for programmers to chill and have a chat
Its the funny cause the possible causes really weren't all that unlikely for Twitter, I mean wasn't the Heartbleed exploit from like 2012~ an XSS exploit itself?
Ah yes, Elon Musk, always solving humanity's biggest and most existential problems. What would we do without you (we'll be fine) 🤦🏽♀️
My own personal website does shady shit but not this bad :O
On the web anyone anywhere has always been able to create a link named one thing that links elsewhere.
But now it’s much, much easier to make and disguise it as a legitimate link.
>whatis a test enviroment
"This is Elon Musk, Tesla's co-founder and CEO"
Whe you convert without specifying bounds 😂
I don't know if my google credentials are worth much. They are welcome to the 4 videos I made in 7th grade
the "security vulnerability" is... hyperlinks? It's something you can do with any hyperlink feature? It's embarrassing code but not much of a vulnerability
I like bureacracy.
let's call it titter from now on
Security team? Come on this REEKS of a change that elon himself forced them to ship
Moral of the story: Elon can't run a website.
heaven forbid you use the word Twitterpated. would that.... like....
Ok when he said the word subscribe at 1:20 the subscribe button was highlighting…. That was cool 🤯 and it worked, I subscribed🎉
Signals
so happy at this elon/twitter hate in the comments lol
What a clbuttic mistake!
100% a regex issue
loved this
Twitter has had an xss vulnerability before but thwt was probably over a decade ago
A clbuttic error.
Honestly, you call this trivial, but it's really not. It's fairly serious, especially for the normie market that doesn't even known what a URL is. This fix probably save tons of boomers and zoomers.
classic elon moment
LGTM!
cross site what now? csrf who?
i just assumed that twitter, since it was renamed x including the website, basically forced "twitter" to autocorrect to "x", especially with urls, without context.
based ublock user
Great video, but that was a long intro. We know what XSS and CSRF are 🤷🏽♂️