46 comments

[ 3.1 ms ] story [ 91.2 ms ] thread
This seems like a major security issue, since some browsers (Chrome, at the very least, and probably others) can be set to automatically open a torrent client when links to .torrent files are clicked.

Is it possible someone hijacked this IP?

Edit:

1. Seems the IP belongs to a CDN (edgecast).

In what scenario is opening a torrent client a major security issue?
It implies downloading a file onto the users machine without user consent which is, in itself, a problem. More importantly, an attacker could craft a torrent file that exploits vulnerabilities in the torrent client. If, just by visiting a site, an attacker can download an arbitrary file onto your machine and then have it automatically opened in a known program you're in big trouble.
The torrent file it downloads is a binary, so it's most likely an auto-open exploit.
I don't understand, if the user is prompted to download the file using an external application it's no different than a direct download.

If users have their browsers configured to automatically start the download of any .torrent files without confirmation, twitter giving bogus .torrent is no more dangerous than $malware_site linking a .torrent. So that's not a security issue on twitter's site.

And anyway, I still fail to see how downloading a file (through bittorent or otherwise) constitutes a security breach on its own. Unless of course the bittorent client auto-executes binaries when it's done downloading, but that's just silly (and still nothing to do with twitter's security policy).

The flow of a (possible) attack is something like this:

1. User configures browser to automatically start torrent downloads when a ".torrent" link is clicked

2. User clicks twitt button which leads to a torrent file

3. The file is downloaded and opened in a torrent client

At this point, one could imagine a specifically crafted torrent file which exploits some vulnerability of the torrent client to gain (say) arbitrary code execution and now the user is, to use a mild term, screwed.

This attack could be used by any malicious site, really, but it's easier to get people to click a twitt button rather than some link on some site and besides, by preforming the attack this way the attacker would infect a sizable chunk of all internet sites (any site that uses the twitt button).

That attack vector has nothing to do with Twitter.
Did I imply it had something to do with twitter?

When this conjecture was posted I assumed someone hijacked a CDN used by twitter and used the twitt button as an attack vector by making it redirect to a torrent file.

I'm not saying twitter is trying to infect its users or something. In all probability, it's just a configuration screw-up and not an attack but (for all we know) it could be.

One could also imagine a specially crafted image file which exploits some vulnerability of the graphics library to gain arbitrary code execution. Then you just need the user to look at the twitter button.
True, though I'd think it would be easier to exploit a torrent client than a browser.
Can not reproduce from Germany (manually added the hosts entry)
That's odd, it's the only way for me to reproduce it..
It works without the host file hack (from Germany).

Edit: I just browsed TC and I am getting the torrent download there too..

Happens to me on Spiegel.de
So that's what that was. Happened to me yesterday.
reproduced from France a couple times yesterday
(comment deleted)
platform.twitter.com is hosted at Amazon S3 (via an additional CDN).

All S3 files by default can be distributed with torrent, if the URL is appended with ?torrent

S3 servers will act as a tracker and seeds.

Please upvote this to get it to the top.
Wow, that's amazing. I had no idea Amazon offered that.

I also have no idea when I'll ever use it, but still. Damn cool.

Not only can S3 serve the file as a torrent, if you provide it as a torrent link and have disabled read access to the file, S3 will still serve as the tracker as long as other peers in the swarm have a full copy of the file to serve.
(comment deleted)
That is a cool feature, actually.
Reproduced from Italy just a couple of minutes ago.
You can reproduce it by pretending that the IP is "68.232.35.139" by modifying your own /etc/hosts file, not funny indeed.
Reproduced a couple minutes ago in Greece. Oh the bug? I didn't check it out yet.
I had this happen when I loaded an article from TechCrunch just a couple of minutes ago. USA here.
Happens to me today on Spiegel.de - one of the largest German sites (news site)
(comment deleted)
My guess: many CDNs allow you to exclude the querystring from the cache key, so it's possible that one person requested the URL with ?torrent in the querystring (which causes S3 to serve a .torrent response) and that the request hit a cold cache. The response with type application/x-bittorrent was then cached under the querystring-less cache key, causing it to be served to anyone else hitting that edge node with the path /widgets/tweet_button.html.

Again: this is just my guess.

I thought Twitter was all private DC, did platform previously point to S3?
This is my exact guess as well. I would be surprised if it turned out to be something else.
Just happened to me on Businessinsider.
Happened to me on a tech news website earlier today (forget which one exactly)
Now you just need browser support for downloading HTTP bodies via BitTorrent. Not actually a bad idea for sufficiently large ones :)
reproduced in Egypt, this thing is all over the place
I also have this bug on BusinessInsider and other sites. Does not look good. Surprised there isn't more coverage of this.