Craft and publish engaging content in an app built for creators.
NEW
Publish anywhere
Post on LinkedIn & Mastodon too. More platforms coming soon.
Make it punchier ๐
Typefully
@typefully
We're launching a Command Bar today with great commands and features.
AI ideas and rewrites
Get suggestions, tweet ideas, and rewrites powered by AI.
Turn your tweets & threads into a social blog
Give your content new life with our beautiful, sharable pages. Make it go viral on other platforms too.
+14
Followers
Powerful analytics to grow faster
Easily track your engagement analytics to improve your content and grow faster.
Build in public
Share a recent learning with your followers.
Create engagement
Pose a thought-provoking question.
Never run out of ideas
Get prompts and ideas whenever you write - with examples of popular tweets.
@aaditsh
I think this thread hook could be improved.
@frankdilo
On it ๐ฅ
Share drafts & leave comments
Write with your teammates and get feedback with comments.
NEW
Easlo
@heyeaslo
Reply with "Notion" to get early access to my new template.
Jaga
@kandros5591
Notion ๐
DM Sent
Create giveaways with Auto-DMs
Send DMs automatically based on engagement with your tweets.
And much more:
Auto-Split Text in Posts
Thread Finisher
Tweet Numbering
Pin Drafts
Connect Multiple Accounts
Automatic Backups
Dark Mode
Keyboard Shortcuts
Creators loveย Typefully
150,000+ creators andย teams chose Typefully to curate their Twitter presence.
Marc Kรถhlbrugge@marckohlbrugge
Tweeting more with @typefully these days.
๐ Distraction-free
โ๏ธ Write-only Twitter
๐งต Effortless threads
๐ Actionable metrics
I recommend giving it a shot.
Jurre Houtkamp@jurrehoutkamp
Typefully is fantastic and way too cheap for what you get.
Weโve tried many alternatives at @framer but nothing beats it. If youโre still tweeting from Twitter youโre wasting time.
DHH@dhh
This is my new go-to writing environment for Twitter threads.
They've built something wonderfully simple and distraction free with Typefully ๐
Santiago@svpino
For 24 months, I tried almost a dozen Twitter scheduling tools.
Then I found @typefully, and I've been using it for seven months straight.
When it comes down to the experience of scheduling and long-form content writing, Typefully is in a league of its own.
Luca Rossi ๊ฉ@lucaronin
After trying literally all the major Twitter scheduling tools, I settled with @typefully.
Killer feature to me is the native image editor โ unique and super useful ๐
Visual Theory@visualtheory_
Really impressed by the way @typefully has simplified my Twitter writing + scheduling/publishing experience.
Beautiful user experience.
0 friction.
Simplicity is the ultimate sophistication.
Queue your content inย seconds
Write, schedule and boost your tweets - withย noย need forย extra apps.
Schedule with one click
Queue your post with a single click - or pick a time manually.
Pick the perfect time
Time each post to perfection with Typefully's performance analytics.
Boost your content
Retweet and plug your posts for automated engagement.
Start creating a content queue.
Write once, publish everywhere
We natively support multiple platforms, so that you can expand your reach easily.
Check the analytics thatย matter
Build your audience with insights that makeย sense.
Writing prompts & personalized postย ideas
Break through writer's block with great ideas and suggestions.
Never run out of ideas
Enjoy daily prompts and ideas to inspire your writing.
Use AI for personalized suggestions
Get inspiration from ideas based on your own past tweets.
Flick through topics
Or skim through curated collections of trending tweets for each topic.
Write, edit, and track tweetsย together
Write and publish with your teammates andย friends.
Share your drafts
Brainstorm and bounce ideas with your teammates.
NEW
@aaditsh
I think this thread hook could be improved.
@frankdilo
On it ๐ฅ
Add comments
Get feedback from coworkers before you hit publish.
Read, Write, Publish
Read, WriteRead
Control user access
Decide who can view, edit, or publish your drafts.
There have been a few browser extensions being built with the intention of helping users know when they are calling a token approval function.
The intention is obviously good, however, I believe they don't improve security and add unnecessary risk.
Let me explain why...๐งต๐๐ป
1/
Let's talk vulnerabilities, threats, and controls.
The vulnerability is that a token approval gives full control of tokens to another address.
The threat is that a user delegates this control to a bad actor's address unknowingly, resulting in asset loss.
2/
Ok so we know the vulnerability and the threat. Now, let's talk controls.
There are 3 Control Types in cyber security - Administrative, Technical, and Physical.
There are 3 Control Functions - Preventative, Detective, and Corrective.
3/
Let's just have a quick run down of each Control Type.
Administrative - human-based control, behavioural or management related. Known as a "soft control"
Physical - something tangible and not technology-based
Technical - technology based control (software or hardware)
4/
Next are the Control Functions
Preventative - prevents a vulnerability being exploited
Detective - detects unauthorised activity
Corrective - repairs damage or restores services to their original state
5/
Now that we understand control types and functions, let's go back to understanding the original threat and the control that has been developed by revoke.cash and others
Threat = uneducated user giving token approval to bad actor
Control = Technical and Detective
6/
The extension is a Technical control since it uses technology to apply a Detective function. It is Detective, because it does not prevent the user from accepting, it is merely detecting something and providing information.
So far, so good...
7/
So, why am I even writing this thread then?!
Let's look at the risk management process. We've assessed the risk of the threat. We are now looking at implementing this extension as a control to bolster our security posture. Then what? We re-assess for residual risk!
8/
Residual risk is a term that defines any risk that is left over after security controls have been implemented.
So what residual risk do we have here?
Well, for one.. we have just introduced an entirely new vulnerability to our security posture. Another browser extension!
9/
Why is a browser extension a risk? Because any additional code running on your device is another source of potential vulnerabilities.
"But, the code is open-source!" I hear you say!
So was the tool that @PREMINT_NFT were using to upload assets, that was recently attacked.
10/
Open-source != inherent security
Yes, open-source is imo better for security than closed-source products, but it doesn't mean that they are inherently secure.
ALL software products have security vulnerabilites, known or unknown - that's why we patch.
11/
Ok, so even though @RevokeCash seems competent, it would be unwise to inherently trust that their codebase will never be compromised.
What even is the threat here in the first place? Let's look at how the extension works.
12/
The extension works as a friendly man-in-the-middle. It catches and checks for function calls == setApprovalForAll, if "approved" boolean is true
This basically means it's looking for a token approval call by intercepting your on-page click before it hits your wallet
13/
After you hit Continue on the extension, it then takes the original call and passes it to your wallet
So what is the threat then?
A malicious code injection to this extension COULD allow the extension to act as a malicious man-in-the-middle.
What does this look like?
14/
Say you go to OS and list an NFT that you haven't yet approved
The extension pops up as expected and shows that you are approving that asset and the spender is OS
The compromised extension then changes the operator (OS) to the bad actor's address and sends to your wallet
15/
You have been conditioned to trust the extension, and now you aren't reading the data in your wallet and you have just signed away a token approval!
Another threat that I think is more likely is that something goes wrong with your extension or it is unknowingly disabled.
16/
You click mint on a fake mint site and the extension doesn't pop up.
You are now trained to believe that if the prompt doesn't show, the transaction is NOT a token approval and you sign the token approval.
These two threats have been introduced, so how do we control them?
17/
The only real answer here is an administrative based control - education.
You as a user need to be able to read the functions that you are signing in your wallet. That is the only way that you can detect these two possible threats.
18/
Right, so we learn how to read what we are signing in our wallet. That's the best control that we have for these threats.
So let's assess where we are at in this risk assessment...
19/
We had a threat of a token approval unbeknown to the user, mitigated with the extension as a control. The extension then introduced a new threat of a token approval unbeknown to the user...
Oh... wait.
BOTH THREATS ARE THE SAME ๐คฏ
20/
The original threat that was mitigated with the extension STILL requires user education, while introducing new risk.
Either way, the user still needs to understand what a token approval looks like in their wallet.
EDUCATION IS THE APPROPRIATE CONTROL IN THE FIRST PLACE
21/
There is no easy fix for these issues in crypto. You are the custodian of your assets, you need to understand what you are doing with them.
Education is key and no hard control is going to reduce the need for your education.
Learn how to read what you are signing.
22/
Let me be clear, I'm not being negative towards anyone developing these extensions. I applaud them for trying to provide a solution to a real problem.
But this solution is misguided and, without knowledge and understanding of the risks introduced, dangerous to users.
23/
I'll say it time and time again, security professionals are your best friend in this space.
If you are developing something like this, please reach out to me, or to any of the other security people that I regularly rt, qt or recommend in my threads.
We can give feedback.