Post

How to get URL link on X (Twitter) App

On the Twitter thread, click on or icon on the bottom
Click again on or Share Via icon
Click on Copy Link to Tweet
Paste it above and click "Unroll Thread"!
More info at Twitter Help

Baptiste Robert

@fs0c131y

Jan 14, 2025 • 13 tweets • 4 min read • Read on X

Scrolly

Worried about a TikTok ban? Americans are now flocking to Xiaohongshu (REDnote), another Chinese app.

Spoiler: Yes, it tracks its users.

Time to dive in! ⬇️

When creating an account, you must verify your phone number by entering a code received via SMS.

The request sent to Xiaohongshu's server includes your phone number (of course), along with your IDFA and IDFV.

https://x.com/fs0c131y/status/1876975966334964076

What’s an IDFA? The Identifier for Advertisers (IDFA) is a unique device ID assigned by Apple to every iOS device.

Many actors, like data brokers, use it to profile you, track your location, and more.

https://x.com/fs0c131y/status/1876975966334964076

When the user is activated, both the IDFA and IDFV are sent again.

Because why send it once when you can send it twice, right?

Nearly every request sent to Xiaohongshu's servers includes the Xy-Common-Params header, which contains:
- Device ID
- Device Fingerprint
- Device Model
- Language
- Platform
- Teenager Status
- Timezone
- And more...

During the process, your device information is also sent to Xiaohongshu's servers, enabling them to fingerprint your device.

This request includes:
- RAM size
- Boot time
- IP
- Carrier
- Country
- OS version
- HW model
- Timezone
- Language
- IDFA (yes, again!)
- Disk size

https://x.com/fs0c131y/status/1879298068702724568

Spending just 10 minutes on Xiaohongshu is enough to conclude that this app tracks user behavior and sends device information to its servers.

https://x.com/fs0c131y/status/1879298068702724568

Where is the information sent aka where are the server located?

They use Tencent Cloud CDN, which makes sense for a Chinese app.

https://x.com/fs0c131y/status/1876975966334964076

Spoiler: User tracking is widespread across apps, no matter their origin.

It threatens privacy and can pose national security risks.

The Gravy leak shows the dangers of centralizing massive amounts of data.

https://x.com/fs0c131y/status/1876975966334964076

Why is my IDFA all zeros in the screenshots?

Because I disabled "Personalized Ads" in iOS.

This entire thread focuses on iOS, but it applies equally to Android. The Android equivalent of IDFA is called AAID.

Technical note: If you want to give it a look, hooking this class is a good start

Four years ago, I analyzed the data TikTok was transmitting, wrote a series of articles about it, and ultimately found myself testifying before a U.S. congressional committee.

baptisterobert.com/posts/tiktok-l…

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @fs0c131y

Baptiste Robert

@fs0c131y

Mar 15, 2025

Regarding the DDoS attack on X:

- Yes, we have identified the correct individual, and he is aware of it. He has attempted to delete evidence since the publication of the tweet.
- Again, it’s not a one-man job. We have also identified the other members of the team.
- They are aware of it. They sent 500 million requests to predictasearch.com over the last three days.
- Trust the process. A report has been sent to the concerned authorities, and they will do their excellent work as usual.

https://x.com/fs0c131y/status/1899433588375867560?s=46&t=TuYvGMRia7bcv-DnpDoahg

They created a new Telegram channel. The last post they forwarded is from a channel called "Russian Partisan." This is not surprising according to our initial findings.

https://x.com/fs0c131y/status/1899433588375867560?s=46&t=TuYvGMRia7bcv-DnpDoahg

Regarding the DDoS attacks on :

Cloudflare is clearly the best option available on the market when it comes to DDoS attack protection. predictasearch.com

Read 5 tweets

Baptiste Robert

@fs0c131y

Mar 11, 2025

Hi @elonmusk,

I've identified the people responsible for the DDoS attack on X yesterday. I'm currently in Washington and will be at the Eisenhower Building tomorrow (for another matter). Would you be interested in meeting?

In the meantime, let me explain

It's OSINT time!

@elonmusk Yesterday, a group called "Dark Storm Team" claimed responsibility for a DDoS attack on Twitter.

Their leader, MRHELL112 on Telegram, has previously used usernames like Darkcrr, GLITCHAT1, and GLITCHcracker.

@elonmusk In a Telegram channel about "DDoS Attack Services," DrSinaway is mentioned alongside Darkcrr.

DrSinaway’s TG bio also references a group called CyberSorcerers.

Read 11 tweets

Baptiste Robert

@fs0c131y

Mar 3, 2025

https://twitter.com/clarachappaz/status/1896610730167947561

Votre volonté d’ajouter une porte dérobée dans les applications de messagerie est une énorme idiotie. Presque autant que votre condescendance…

Explications ⬇️

https://twitter.com/clarachappaz/status/1896610730167947561

https://twitter.com/clarachappaz/status/1896610734114812126

Beaucoup s’inquiètent, donc madame explique. À coup de novlangue et de mots clefs.

Le fameux : “Si les français ne comprennent pas c’est que l’on n’a pas assez expliqué”

Vous prenez les gens pour des idiots et après la classe politique s’étonne des résultats dans les urnes

https://twitter.com/clarachappaz/status/1896610734114812126

https://twitter.com/clarachappaz/status/1896610739697369115

Après avoir dit que le texte est trop large un tweet plus haut on parle “des services” ? Il n’y avait pas un mot plus large dans le dictionnaire de la French Tech ?

Non il n’y a pas de backdoor qui respecte les libertés et la vie privée. C’est un MENSONGE.

https://twitter.com/clarachappaz/status/1896610739697369115

Read 12 tweets

Baptiste Robert

@fs0c131y

Feb 7, 2025

Operation TALENT - Tracking the Hackers

On January 29th, Operation Talent dismantled the cybercrime forums Cracked and Nulled, led by two young individuals and used by millions.

Want to dive deeper?

It's OSINT time! ⬇️

To complete this investigation, the @PredictaLabOff team utilized our platforms predictagraph.com and predictasearch.com.

Thanks to the collaborative mode, you can access a snapshot of the graph here:
predictagraph.com/graph/snapshot…

@PredictaLabOff Time to uncover who was behind the forum Cracked.

@CrackedTo is the official X account of the forum. The associated email, olivia.messla@outlook.de, was revealed in the 2023 Twitter breach.

Read 16 tweets

Baptiste Robert

@fs0c131y

Jan 19, 2025

https://twitter.com/EvilRabbitSec/status/1880725289057366172

The IP address of DrugHub, a well-known dark web drug marketplace, has been exposed.

The website owner made a critical OPSEC blunder.

It's OPSEC time!

https://twitter.com/EvilRabbitSec/status/1880725289057366172

On the website's /info/market-links page, three links are provided:
- The primary .onion address
- A clearnet link
- A permanent mirror

Currently, drughub[.]xx is protected by Cloudflare, but two months ago, it was hosted on the IP address 186.2.171.6.

Read 9 tweets

Baptiste Robert

@fs0c131y

Jan 10, 2025

Only one country was represented at Kim Jong Un's New Year's Eve party. Can you guess which one?

At the Rungrado Stadium, Kim hosted a grand celebration. Before the fireworks, officials enjoyed a private party near the stadium

One attendee's face stood out 🕵️‍♂️

It’s OSINT time!

South Korean media focused on a 2-second clip of Kim Yo Jong, Kim Jong Un's sister, seen publicly with what seemed to be her children for the first time.

But they missed something important 👀

I came across the official video of the private party before the celebration. It shows key figures stepping out of their cars, mingling, and chatting around tables.

Something immediately caught my eye. Do you see it too?