
Go home Twitter, you're drunk - thefreeman
https://twitter.com/Abhaxas/status/523780560993267713
======
homm88
<__>: it's fake

<__>: the SSL seal is missing

<__>: it's a javascript edit

<__>: open a https site in firefox and look at the addressbar

<__>: sec

<__>: yeah

<__>: it DOESN'T appear if you used a javascript hack to make it go away

<__>: and changed the page

~~~
geofft
It also doesn't look like the standard Linux uptime command, which uses "load
average", singular. The BSDs, including OS X, say "load averages"... does
Twitter run FreeBSD, or is this copied-and-pasted from an OS X client machine?

~~~
krschultz
I thought Netflix used FreeBSD?
[https://www.freebsdfoundation.org/testimonials](https://www.freebsdfoundation.org/testimonials)

~~~
geofft
Yeah, there are certainly a bunch of people running FreeBSD in production. I
just didn't think Twitter was one of them.

------
gggggggg
anyone care to let me know just why this is so bad? i.e. does it really
matter?

~~~
Argorak
This is a remote code execution, allowing attackers to run commands of their
choice on the server with the user and privileges of the webserver.

Now, if one of the following is true (and thats quite common):

* The webserver has access to sensitive data

* The operating system has a bug that allows getting higher privileges as an unprivileged user without credentials

The machine is hacked and broken. (either the sensitive data can be extracted
or the machine can be reconfigured)

This is why remote code execution is rated very high as a vulnerability.

A common way to prove this is by running a command that doesn't do any direct
harm. uptime is quite usual, reading /etc/passwd is also quite usual.

~~~
gatehouse
I'm not sure about the mechanics of this, but at a minimum the webserver
probably has access to the HTTPS private key for the subdomain, or at least
has it in memory, since the request is shown to be running over HTTPS.

~~~
Argorak
Reading the memory of another process is not allowed on modern OS for
precisely that reason, so this would be another exploit.
([http://en.wikipedia.org/wiki/Process_isolation](http://en.wikipedia.org/wiki/Process_isolation))
But the keys are most likely on disk, readable by the server ;).

Also, some setups are not prone to this: Twitter most likely uses an proxy
terminating SSL and then forwards the request to a smaller webserver running
the app. This one will not hold the keys.

Most larger webservers can also run the app workers with a different user than
the webserver itself.

~~~
blibble
> Reading the memory of another process is not allowed on modern OS for
> precisely that reason, so this would be another exploit.

both Linux and Windows allow processes to read the memory of other processes
running as the same user, via ptrace() and /proc/pid/mem on Linux, and via
ReadProcessMemory() on Windows.

(how else could you ever debug anything?)

~~~
Argorak
Yes, but PTRACE can be disallowed by the process and behaves differently on
some kernels, e.g. Ubuntu hardened:

[https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening...](https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace_Protection)
[https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace](https://fedoraproject.org/wiki/Features/SELinuxDenyPtrace)

They usually only allow ptrace from parent to child or as root.

Also, wrt debugging, see the comment in the second link:

> If you are running a machine and do not plan on debugging the applications
> on this machine, you should turn this boolean on.

------
l33tbro
I'm not convinced. Anyone could do this "hack" with MS Paint. If it were real,
then surely the proof would manifest with some kind of change of the Twitter
interface.

------
pronik
A stupid 1am question: is it common among ops teams to replace these "common"
binaries by a honeypot-like wrapper which notifies the security team
immediately, just in case of a complete meltdown on the web developer side?

~~~
chavesn
Sorry, I don't have an answer to your question, but in theory, how would it
detect an intrusion for automatic notification? It seems to me that detecting
a bad operation from a good operation is the same thing as securing the
system. A vulnerability would likely sail past any such notification system.

~~~
pronik
A naive approach could be defining that the software stack to use is under
/opt/twitter/ and everything under /usr/bin/ and /bin/ is just a honeypot, so
any legitimate developer using those would also trigger a notification. But
anyhow, it smells like overkill, the wrong place and not worth the extra
mileage. The only case I can think of where this would be useful is when
management or timing problems prevent proper and secure development -- which
is not a problem ops should solve. Would still be interesting if someone
actually does this.

~~~
nknighthb
Well, it would shield against simplistic attempts at exploiting setuid
binaries, certainly, but beyond that its effectiveness would probably be
limited, especially as it became more widely known.

Another interesting strategy, particularly in the age of widespread use of VMs
and containers, might be to extend the basic idea of ASLR beyond address
space. Randomize paths and filenames and system call numbers, for example.
You'd need to build all your binaries yourself, of course, and run scripts
through some sort of mangler (for maximum effectiveness, do this per-
VM/container). You'd want to encrypt non-user-visible strings, too.

There'd be a lot of tooling work necessary to make this practical in the real
world, of course.

(Edit: Just found this, which looks relevant:
[http://research.microsoft.com/en-
us/um/people/helenw/papers/...](http://research.microsoft.com/en-
us/um/people/helenw/papers/randsys.pdf) )

------
kentosi
Sorry but could someone please explain to me what the joke is about?

I don't get what's going on, and cards.twitter.com throws an error page saying
that the site is down :-(

------
hackerthenews
Has this confirmed to be real? Seems somewhat trivial of an exploit for such a
large company (url-based RCE)?

------
kodisha
i hope that twitter has 24/7 team to respond to this.

~~~
swartkrans
I wonder if he's actually qualified for any bug bounty given the public
announcement, even with the dangerous parts blacked out.

~~~
damian2000
Terms of their bug bounty program just says "You may not publicly disclose the
vulnerability prior to our resolution" ...
[https://hackerone.com/twitter](https://hackerone.com/twitter)

