

Twitter Tweet Button URL randomly resolves to a .torrent file - gregclermont
https://gist.github.com/gregclermont/6669056

======
blahpro
My guess: many CDNs allow you to exclude the querystring from the cache key,
so it's possible that one person requested the URL with ?torrent in the
querystring (which causes S3 to serve a .torrent response) and that the
request hit a cold cache. The response with type application/x-bittorrent was
then cached under the querystring-less cache key, causing it to be served to
anyone else hitting that edge node with the path /widgets/tweet_button.html.

Again: this is just my guess.

~~~
gazarsgo
I thought Twitter was all private DC, did platform previously point to S3?

~~~
blahpro
platform.twitter.com is currently CNAMEd to EdgeCast CDN. It looks like the
CDN is sitting in front of Amazon S3;
[http://platform.twitter.com/blahblahblah](http://platform.twitter.com/blahblahblah)
gives an S3-like 403 response.

------
psz
platform.twitter.com is hosted at Amazon S3 (via an additional CDN).

All S3 files by default can be distributed with torrent, if the URL is
appended with ?torrent

S3 servers will act as a tracker and seeds.

~~~
gingerjoos
Relevent FAQ from Amazon S3 FAQ page :
[http://aws.amazon.com/s3/faqs/#What_is_the_BitTorrent_TM_pro...](http://aws.amazon.com/s3/faqs/#What_is_the_BitTorrent_TM_protocol_and_how_do_I_use_it_with_Amazon_S3)

~~~
untog
Wow, that's amazing. I had no idea Amazon offered that.

I also have no idea when I'll ever use it, but still. Damn cool.

~~~
toomuchtodo
Not only can S3 serve the file as a torrent, if you provide it as a torrent
link and have disabled read access to the file, S3 will still serve as the
tracker as long as other peers in the swarm have a full copy of the file to
serve.

------
Amadou
This is what TorrentFreak had to say about it:

[http://torrentfreak.com/twitter-bug-requires-users-to-
torren...](http://torrentfreak.com/twitter-bug-requires-users-to-torrent-its-
tweet-button-130923/)

TL;DR is Twitter uses bittorrent internally, this is probably just an error in
letting an internal configuration leak to the outside world.

------
jgv
Just got this visiting this article page on TechCrunch =>
[http://techcrunch.com/2013/09/23/facetime-audio-is-apples-
bi...](http://techcrunch.com/2013/09/23/facetime-audio-is-apples-biggest-
little-feature-addition-in-ios-7/)

Chrome automatically downloaded it =>
[http://cl.ly/image/2u3R2m3j3j1E](http://cl.ly/image/2u3R2m3j3j1E)

~~~
mathattack
Same. Chrome automatically downloaded it for me too. Twice.

------
sdfjkl
Now you just need browser support for downloading HTTP bodies via BitTorrent.
Not actually a bad idea for sufficiently large ones :)

------
toretore
So that's what that was. Happened to me yesterday.

------
dud3z
You can reproduce it by pretending that the IP is "68.232.35.139" by modifying
your own /etc/hosts file, not funny indeed.

------
gregclermont
This visualization of the domain name resolution for platform.twitter.com
might help to understand the issue. I don't know how to interpret it however.
[http://dnsviz.net/d/platform.twitter.com/dnssec/](http://dnsviz.net/d/platform.twitter.com/dnssec/)

------
laveur
I had this happen when I loaded an article from TechCrunch just a couple of
minutes ago. USA here.

------
bagosm
Reproduced a couple minutes ago in Greece. Oh the bug? I didn't check it out
yet.

------
harvestmoon
I also have this bug on BusinessInsider and other sites. Does not look good.
Surprised there isn't more coverage of this.

------
gregparadee
Just happened to me on Businessinsider.

~~~
samspenc
Happened to me on a tech news website earlier today (forget which one exactly)

------
MichaelAza
This seems like a major security issue, since some browsers (Chrome, at the
very least, and probably others) can be set to automatically open a torrent
client when links to .torrent files are clicked.

Is it possible someone hijacked this IP?

Edit:

1\. Seems the IP belongs to a CDN (edgecast).

~~~
simias
In what scenario is opening a torrent client a major security issue?

~~~
MichaelAza
It implies downloading a file onto the users machine without user consent
which is, in itself, a problem. More importantly, an attacker could craft a
torrent file that exploits vulnerabilities in the torrent client. If, just by
visiting a site, an attacker can download an arbitrary file onto your machine
and then have it automatically opened in a known program you're in big
trouble.

~~~
simias
I don't understand, if the user is prompted to download the file using an
external application it's no different than a direct download.

If users have their browsers configured to automatically start the download of
any .torrent files without confirmation, twitter giving bogus .torrent is no
more dangerous than $malware_site linking a .torrent. So that's not a security
issue on twitter's site.

And anyway, I still fail to see how downloading a file (through bittorent or
otherwise) constitutes a security breach on its own. Unless of course the
bittorent client auto-executes binaries when it's done downloading, but that's
just silly (and still nothing to do with twitter's security policy).

~~~
MichaelAza
The flow of a (possible) attack is something like this:

1\. User configures browser to automatically start torrent downloads when a
".torrent" link is clicked

2\. User clicks twitt button which leads to a torrent file

3\. The file is downloaded and opened in a torrent client

At this point, one could imagine a specifically crafted torrent file which
exploits some vulnerability of the torrent client to gain (say) arbitrary code
execution and now the user is, to use a mild term, screwed.

This attack could be used by any malicious site, really, but it's easier to
get people to click a twitt button rather than some link on some site and
besides, by preforming the attack this way the attacker would infect a sizable
chunk of all internet sites (any site that uses the twitt button).

~~~
tedunangst
One could also imagine a specially crafted image file which exploits some
vulnerability of the graphics library to gain arbitrary code execution. Then
you just need the user to look at the twitter button.

~~~
MichaelAza
True, though I'd think it would be easier to exploit a torrent client than a
browser.

------
Uchikoma
Happens to me today on Spiegel.de - one of the largest German sites (news
site)

------
thehodge
Don't twitter use torrents to deploy across multiple servers?

~~~
glennos
They do (or at least used to). This came to mind for me too.

The platform they developed is called Murder:
[https://blog.twitter.com/2010/murder-fast-datacenter-code-
de...](https://blog.twitter.com/2010/murder-fast-datacenter-code-deploys-
using-bittorrent)

------
agumonkey
people are digging for http responses
[https://gist.github.com/gregclermont/6669056](https://gist.github.com/gregclermont/6669056)

------
th0br0
Can not reproduce from Germany (manually added the hosts entry)

~~~
luastoned
It works without the host file hack (from Germany).

Edit: I just browsed TC and I am getting the torrent download there too..

------
ahamdy
reproduced in Egypt, this thing is all over the place

------
program
Reproduced from Italy just a couple of minutes ago.

------
saze
reproduced from France a couple times yesterday

