<__>: the SSL seal is missing
<__>: open a https site in firefox and look at the addressbar
<__>: and changed the page
$ uptime > blah
$ open blah
It's absolutely possible it's fake. But it's also yet possible that it's not.
Hit F12, edit out the HTML to be whatever you want.
Everyone is freaking about the "URL edit", but it's probably that it's actually a long string exploit and he's just edited the URL to fit into the screen to take the screenshot.
It's too amateur a fake, so I'm actually leaning on the side of it being real.
He is running shell commands through the Twitter server - the 'uptime' command is just a demo. He could also access privates files and possibly gain access to secure data that would let him access all data stored on Twitter servers, etc. He could also alter the twitter code to display anything he wanted to twitter users.
Maybe, maybe not, depending on the web server's permissions. Also it seems to be a subdomain which may not have the main twitter code.
It's still pretty bad and embarrassing.
Subdomains can run on the same server. Also, the code is uninteresting, data usually is.
Also, higher permissions are just one OS exploit away. As with many exploits, it's a stepping stone, but a big one. The combination matters.
Now, if one of the following is true (and thats quite common):
* The webserver has access to sensitive data
* The operating system has a bug that allows getting higher privileges as an unprivileged user without credentials
The machine is hacked and broken. (either the sensitive data can be extracted or the machine can be reconfigured)
This is why remote code execution is rated very high as a vulnerability.
A common way to prove this is by running a command that doesn't do any direct harm. uptime is quite usual, reading /etc/passwd is also quite usual.
Also, some setups are not prone to this: Twitter most likely uses an proxy terminating SSL and then forwards the request to a smaller webserver running the app. This one will not hold the keys.
Most larger webservers can also run the app workers with a different user than the webserver itself.
both Linux and Windows allow processes to read the memory of other processes running as the same user, via ptrace() and /proc/pid/mem on Linux, and via ReadProcessMemory() on Windows.
(how else could you ever debug anything?)
They usually only allow ptrace from parent to child or as root.
Also, wrt debugging, see the comment in the second link:
> If you are running a machine and do not plan on debugging the applications on this machine, you should turn this boolean on.
(how else could you ever secure anything?)
Well, I hope it's not too much to expect the webserver user not to have sudo permissions.
This is probably not a serious concern for a place as huge as twitter because they're going to CDN static content separately from dynamic content, but would be really exciting for "I got me one server for my whole startup" types. Maybe you could bypass existing systems to serve up malicious code to end users anyway.
Another interesting strategy, particularly in the age of widespread use of VMs and containers, might be to extend the basic idea of ASLR beyond address space. Randomize paths and filenames and system call numbers, for example. You'd need to build all your binaries yourself, of course, and run scripts through some sort of mangler (for maximum effectiveness, do this per-VM/container). You'd want to encrypt non-user-visible strings, too.
There'd be a lot of tooling work necessary to make this practical in the real world, of course.
(Edit: Just found this, which looks relevant: http://research.microsoft.com/en-us/um/people/helenw/papers/... )
I've never heard of anyone actually using it. It would be a huge pain and wreak havoc on sysadmins. Also, really nasty attacks are capable of bringing exploit code with them.
I don't get what's going on, and cards.twitter.com throws an error page saying that the site is down :-(