Elon Musk’s X botched an attempt to replace “twitter.com” links with “x.com”

Elon Musk's clumsy brand shift from Twitter to X caused a potentially big problem this week when the social network started automatically changing "twitter.com" to "x.com" in links. The automatic text replacement reportedly applied to any URL ending in "twitter.com" even if it wasn't actually a twitter.com link. The change apparently went live on X's app for iOS, but not on the web version. It seems to have been a problem for a day or two before the company fixed the automatic text replacement so that it wouldn't affect non-Twitter.com domains. Security reporter Brian Krebs called the move "a gift to phishers" in an article yesterday. It was a phishing risk because scammers could register a domain name like "netflitwitter.com," which would appear as "netflix.com" in posts on X, but clicking the link would take a user to netflitwitter.com. "A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in 'twitter.com,' although research so far shows the majority of these domains have been registered 'defensively' by private individuals to prevent the domains from being purchased by scammers," Krebs wrote. Even if the change had been implemented smoothly, auto-replacing "twitter.com" with "x.com" doesn't do much to help Musk cement his branding shift because x.com still redirects to twitter.com.

Domains ending in “x” could be spoofed

One of the newly registered domain names inspired by X's text replacement is the example mentioned above. Navigating to netflitwitter.com will show you a message that says, "This domain has been acquired to prevent its use for malicious purposes." The webpage was set up by X user @yuyu0127_ and goes on to say:

As of April 8, 2024, the iOS Twitter (now X) client automatically replaces the text "twitter.com" in posts with "x.com" as part of its functionality. Therefore, for example, a URL that appears to be "netflix.com" will actually redirect to "netflitwitter.com" when clicked. Please be aware that there is a potential for this feature to be exploited in the future, by acquiring domains containing "twitter.com" to lead users to malicious pages. This domain, "netflitwitter.com," has been acquired for protective purposes to prevent its use for such malicious activities.

As another X user (@Arcticstar0) pointed out, "the actual link is unchanged. It's just the text placeholder that appears different. So the link goes to a different url than it appears." Krebs quoted Sean McNee, VP of research and data at DomainTools, as saying that "bad actors could register domains as a way to divert traffic from legitimate sites or brands given the opportunity—many such brands in the top million domains end in x, such as webex, hbomax, xerox, xbox, and more."

First fix attempt reportedly fell short

In an article on Tuesday, Mashable wrote that X had fixed the problem "for some of the domains affected by this change" so that domains like netflitwitter.com no longer appeared as netflix.com. But at the time of that article's publication, Mashable said it was able to "confirm that the X for iOS app is currently still changing many other references of 'Twitter.com' to 'X.com.'" X may have the text replacement working as intended now so that it changes the appearance of twitter.com links but not other links containing the word "twitter." A post by @Arcticstar0 lists some real Twitter URLs alongside "space-twitter.com." A screenshot in the Mashable article showed that at one point, this post, when displayed on the iOS app, rendered "space-twitter.com" as "space-x.com." But today, the same post when viewed in the iOS app displays "space-twitter.com" correctly while rendering the "twitter.com" link as "x.com." Of course, clicking that latter link actually takes you to twitter.com. Typing x.com into your browser also redirects you to twitter.com because the Twitter-to-X transition is woefully incomplete. Today, when we emailed X's media contact address, press@x.com, we got the standard "busy now, please check back later" auto-reply. It came not from an x.com email but from press+noreply@twitter.com.