We were analyzing some HTTP traffic for a presentation at an University here in Brazil when we noticed something odd — TCP request to http://bit.ly/huVV5 . So we noticed that this website was referred in someone’s post to Twitter. Since I didn’t click or call that website, WHY did I send a GET request to that link?
My first clue was my so called “Twitter Client”, the well-known “Twitterfox“. By monitoring its activity, I noticed that it will deliberately attempt to connect to a URL shortening service site in order to obtain “automatically extract” that URL.
The “Twitter Post” that generated that behavior is listed below:
Typo3(reported as critical):Crash with DBAL (- TYPO3 Core -) http://bit.ly/huVV5
From a wireshark‘s (tcpdump utility) console:
GET /huVV5 HTTP/1.1 Host: bit.ly User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive
HTTP/1.1 301 Moved Permanently Server: nginx/0.7.42 Date: Mon, 25 May 2009 02:55:16 GMT Content-Type: text/html;charset=utf-8 Connection: keep-alive Content-Length: 133 Location: http://bugs.typo3.org/view.php?id=11176 Allow: GET, HEAD, POST
This resource has permanently moved to <a href='http://bugs.typo3.org/view.php?id=11176'>http://bugs.typo3.org/view.php?id=11176</a>.
What I did next was posting the same information on bit.ly in order to test the same behavior:
@spookerlabs test for research dont click =) http://bit.ly/aaaaaaaaaaaaaaaaaaaaaaaaa
And here what I got from a wireshark’s tcpdump perspective:
GET /aaaaaaaaaaaaaaaaaaaaaaaaa HTTP/1.1 Host: bit.ly User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive
HTTP/1.1 200 OK Server: nginx/0.7.42 Date: Mon, 25 May 2009 03:10:09 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Status: 404 Allow: GET, HEAD, POST Content-Encoding: gzip
We have changed our test scope to use TinyURL shortening service (remember: tinyurl is not listed as an auto-extract service).
@spookerlabs test 3 and final I hope http://tinyurl.com/OPAOPA
And twitterfox again attempted to extract the URL via an asynchronous call:
GET /OPAOPA HTTP/1.1 Host: tinyurl.com User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive
HTTP/1.1 301 Moved Permanently X-Powered-By: PHP/5.2.9 Location: http://www.erofilehost.net/?id=501 Content-type: text/html Content-Length: 0 Connection: close Date: Mon, 25 May 2009 03:18:43 GMT Server: TinyURL/1.6
Of course when we used a regular URL such as http://www.nstalker.com and http://www.spooker.com.br nothing happened since it’s a regular domain.
The curious thing is that twitterfox will attempt to “resolve” that URL on a “stealthy way” and there is absolutely no options to enable/disable auto extract feature. So it will of course give us something to think about:
- How secure is to use twitter fox: Will URL shortening services be able to figure out who am I following or what am I doing by just follow my attempts to resolve URLs?
- Can auto-extract condition be exploited in such a way that it can be used as a XSRF attack vector?
Twitterfox is an excellent tool but the lack of configuration options is certainly something that will count if you are looking for a secure “Twitter client” implementation.
Follow us on twitter: http://www.twitter.com/nstalker
N-Stalker Research Team
UPDATE: According to Mr.Jeronimo Zucco and our own research, Twitterfox code is strictly forbidden access to other URLs different than URL shortening services, which means a XSRF problem is mitigated (unless a URL shortening services itself is a target of the attack). The question about tracking your twitter usage is still remaining, however, this is also an issue for all URL shortening services and not a twitterfox isolated problem.
No tags for this post.
One Response
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.
Lookgin at th source of twitterfox, this is true just for url short specified in nsTwitterNotifier.js, line 1054, according with regular expression:
/http:\/\/(tinyurl.com|is.gd|bit.ly)\/\w+/;
And then there is a function with makes the get. :-P