324/68 Friday, September 5, 2025
Cybersecurity researchers at Guardio Labs have uncovered a new technique used by cybercriminals to abuse Grok, the AI assistant integrated into the X app (formerly Twitter), to bypass restrictions on posting malicious links. Malvertisers typically post enticing videos to lure victims but avoid embedding links directly in the posts to evade the platform’s blocking mechanisms. Instead, they hide the malicious link in the “From:” metadata field-a small, hidden data field beneath video posts that X’s systems do not scan for links.
The attackers then reply to the video post using another account, asking questions such as “Where is this video from?” or “What’s the link to this video?”. When Grok responds, it retrieves the hidden link from the metadata and displays it as a clickable link. This method, dubbed “Grokking”, allows scammers to effectively distribute harmful URLs to users.
By exploiting Grok in this way, attackers not only spread malicious links widely but also lend them credibility, since the links appear in posts generated by X’s own trusted system. Researchers found that these links often lead to various scams, including phishing sites, data-stealing malware, and other forms of fraud. In some cases, these fake ads have reached millions of views. Guardio Labs reported the vulnerability to X, and fixes are underway. Recommended mitigations include scanning all metadata fields thoroughly and implementing link filtering within Grok to prevent the AI from reproducing dangerous links without verification.
