So the exploit is fake site -> user-agent specific redirector -> CNN. That would clear CNN.
I’m thinking through how Twitter would combat something like this. IMO they would flag new domains for manual approval (or hey, require TFA for self-serve ad accounts!) but both of these add to the cost and friction of their adtech.
Always a bummer when good security practice gets overruled by the need to squeeze every cent of revenue they can.
>I’m thinking through how Twitter would combat something like this.
Display the real link domain by default, but offer custom domains for manually verified advertisers. That obviously involves some degree of cost, but it's worthwhile to preserve trust in the platform.
Maybe twitter could show something on the card “CNN.com via malicious.example.com”? Personally I like knowing when I’m clicking a tracked or affiliate link anyway.
I'm not sure how many people that would work for. If malicious.example.com were some pithy little domain on a trendy ccTLD like bit.ly, I think most twitter users would ignore it, assuming it was yet another URL shortener.
I’m thinking through how Twitter would combat something like this. IMO they would flag new domains for manual approval (or hey, require TFA for self-serve ad accounts!) but both of these add to the cost and friction of their adtech.
Always a bummer when good security practice gets overruled by the need to squeeze every cent of revenue they can.