public
Created

When platform.twitter.com resolves to 68.232.35.139, the request returns a torrent file

  • Download Gist
normal response
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
$ dig platform.twitter.com
 
; <<>> DiG 9.8.3-P1 <<>> platform.twitter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23125
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;platform.twitter.com. IN A
 
;; ANSWER SECTION:
platform.twitter.com. 22 IN CNAME san.twitter.com.edgekey.net.
san.twitter.com.edgekey.net. 9701 IN CNAME e5903.g.akamaiedge.net.
e5903.g.akamaiedge.net. 12 IN A 23.50.177.224
 
;; Query time: 49 msec
;; SERVER: 192.168.5.1#53(192.168.5.1)
;; WHEN: Mon Sep 23 12:53:31 2013
;; MSG SIZE rcvd: 128
 
$ curl --verbose http://platform.twitter.com/widgets/tweet_button.html
* About to connect() to platform.twitter.com port 80 (#0)
* Trying 23.50.177.224...
* connected
* Connected to platform.twitter.com (23.50.177.224) port 80 (#0)
> GET /widgets/tweet_button.html HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5
> Host: platform.twitter.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: no-cache
< Last-Modified: Thu, 19 Sep 2013 23:54:42 GMT
< ETag: "86e25ce34214e039e32bd33c7aaeefa6"
< Content-Type: text/html; charset=utf-8
< Date: Mon, 23 Sep 2013 10:51:43 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Connection: Transfer-Encoding
< P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
<
<[redacted]* Closing connection #0
torrent response
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
$ dig platform.twitter.com
 
; <<>> DiG 9.8.3-P1 <<>> platform.twitter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29545
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;platform.twitter.com. IN A
 
;; ANSWER SECTION:
platform.twitter.com. 1 IN CNAME cs107.wac.edgecastcdn.net.
cs107.wac.edgecastcdn.net. 1733 IN A 68.232.35.139
 
;; Query time: 394 msec
;; SERVER: 192.168.5.1#53(192.168.5.1)
;; WHEN: Mon Sep 23 12:53:30 2013
;; MSG SIZE rcvd: 93
 
$ curl --verbose http://platform.twitter.com/widgets/tweet_button.html
* About to connect() to platform.twitter.com port 80 (#0)
* Trying 68.232.35.139...
* connected
* Connected to platform.twitter.com (68.232.35.139) port 80 (#0)
> GET /widgets/tweet_button.html HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5
> Host: platform.twitter.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Disposition: attachment; filename=widgets/tweet_button.html.torrent;
< Content-Type: application/x-bittorrent
< Date: Mon, 23 Sep 2013 10:48:41 GMT
< Last-Modified: Sun, 22 Sep 2013 15:21:48 GMT
< P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
< Server: ECS (ory/439A)
< X-Cache: HIT
< Content-Length: 301
<
* Connection #0 to host platform.twitter.com left intact
d8:announce42:http://tracker.amazonaws.com:6969/announce13:announce-listll42:http://tracker.amazonaws.com:6969/announceee4:infod6:lengthi66948e4:name25:widgets_tweet_button.html12:piece lengthi262144e6:pieces20:???? ,?aG??E????12:x-amz-bucket11:tfw-current9:x-amz-key25:widgets/tweet_button.htmlee* Closing connection #0

I can't seem to reproduce this. Could you post the torrent file returned?

If this can be consistently reproduced, this could be an interesting security threat.

Happened to me a couple of times

Could this be an Amazon bug? Amazon allow distributing of anything on S3 as a Torrent by adding ?torrent to the end...

Cannot reproduce. I have the same IP, but do not get the torrent file.

Using Chrome from Germany, Europe.

More likely an AWS S3 bug

d8:announce42:http://tracker.amazonaws.com:6969/announce13:announce-listll42:http://tracker.amazonaws.com:6969/announceee4:infod6:lengthi66948e4:name25:widgets_tweet_button.html12:piece lengthi262144e6:pieces20:≈˙ä ⁄ ,‹aG¢˝E¢éfiÕ12:x-amz-bucket11:tfw-current9:x-amz-key25:widgets/tweet_button.htmlee

You can reproduce it by pretending that the IP is "68.232.35.139", add this to your /etc/hosts file:

68.232.35.139   platform.twitter.com

Now performing the request via cURL:

$ curl --verbose  http://platform.twitter.com/widgets/tweet_button.html
* Adding handle: conn: 0x210c2b0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x210c2b0) send_pipe: 1, recv_pipe: 0
* About to connect() to platform.twitter.com port 80 (#0)
*   Trying 68.232.35.139...
* Connected to platform.twitter.com (68.232.35.139) port 80 (#0)
> GET /widgets/tweet_button.html HTTP/1.1
> User-Agent: curl/7.32.0
> Host: platform.twitter.com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Disposition: attachment; filename=widgets/tweet_button.html.torrent;
< Content-Type: application/x-bittorrent
< Date: Mon, 23 Sep 2013 12:31:15 GMT
< Last-Modified: Sun, 22 Sep 2013 15:21:48 GMT
< P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
* Server ECS (ory/439A) is not blacklisted
< Server: ECS (ory/439A)
< X-Cache: HIT
< Content-Length: 301
< 
* Connection #0 to host platform.twitter.com left intact
d8:announce42:http://tracker.amazonaws.com:6969/announce13:announce-listll42:http://tracker.amazonaws.com:6969/announceee4:infod6:lengthi66948e4:name25:widgets_tweet_button.html12:piece lengthi262144e6:pieces20:���� ,�aG��E��12:x-amz-bucket11:tfw-current9:x-amz-key25:widgets/tweet_button.htmlee

Getting it from 93.184.216.139 as well:

$ curl --verbose http://platform.twitter.com/widgets/tweet_button.html
* About to connect() to platform.twitter.com port 80 (#0)
*   Trying 93.184.216.139...
* connected
* Connected to platform.twitter.com (93.184.216.139) port 80 (#0)
> GET /widgets/tweet_button.html HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5
> Host: platform.twitter.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Disposition: attachment; filename=widgets/tweet_button.html.torrent;
< Content-Type: application/x-bittorrent
< Date: Mon, 23 Sep 2013 12:51:21 GMT
< Last-Modified: Mon, 23 Sep 2013 12:39:07 GMT
< P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
< Server: ECS (ewr/15E3)
< X-Cache: HIT
< Content-Length: 301
<
* Connection #0 to host platform.twitter.com left intact
d8:announce42:http://tracker.amazonaws.com:6969/announce13:announce-listll42:http://tracker.amazonaws.com:6969/announceee4:infod6:lengthi66948e4:name25:widgets_tweet_button.html12:piece lengthi262144e6:pieces20:��� ,�aG��E����12:x-amz-bucket11:tfw-current9:x-amz-key25:widgets/tweet_button.htmlee* Closing connection #0
</code>

Opening this news article gives me two torrent downloads in Firefox & Safari (but not Chrome) which is unfortunate.

Happened to me, too. This was the file contents:

d8:announce42:http://tracker.amazonaws.com:6969/announce13:announce-listll42:http://tracker.amazonaws.com:6969/announceee4:infod6:lengthi66948e4:name25:widgets_tweet_button.html12:piece lengthi262144e6:pieces20:ÅúŠÚ ,ÜaG¢ýE¢ŽÞÍ12:x-amz-bucket11:tfw-current9:x-amz-key25:widgets/tweet_button.htmlee

Happened to me on a lot of blogspot website, OSX 10.8.5, latest safari for this OS

https does not have the cached torrent result.

$ curl -v "https://platform.twitter.com/widgets/tweet_button.html"

  • About to connect() to platform.twitter.com port 443 (#0)
  • Trying 93.184.216.139...
  • connected
  • Connected to platform.twitter.com (93.184.216.139) port 443 (#0)
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using RC4-SHA
  • Server certificate:
  • subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; CN=si0.twimg.com
  • start date: 2013-05-01 00:00:00 GMT
  • expire date: 2014-06-10 23:59:59 GMT
  • subjectAltName: platform.twitter.com matched
  • issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3
  • SSL certificate verify ok. > GET /widgets/tweet_button.html HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5 > Host: platform.twitter.com > Accept: / > < HTTP/1.1 200 OK < Accept-Ranges: bytes < Cache-Control: no-cache < Content-Type: text/html; charset=utf-8 < Date: Mon, 23 Sep 2013 13:56:29 GMT < Etag: "86e25ce34214e039e32bd33c7aaeefa6" < Last-Modified: Thu, 19 Sep 2013 23:54:42 GMT < P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT" < Server: AmazonS3 < Content-Length: 66948 < <!DOCTYPE html>Twitter Tweet Button....

Confirmed on Chrome Version 29.0.1547.76, OS X 10.8.5. Example Link
http://techcrunch.com/2013/09/19/watch-a-cat-unlock-the-iphone-5s-using-touch-id-and-the-fingerprint-sensor/

I had that pop up the other night when I was viewing some website that I can't recall anymore. I believe it was on Windows 7 with the latest Firefox stable release. I suspected the site had simply been compromised in some way and that this was some new attempt at malware, but now I'm thinking it might be some kind of bug/exploit in either AWS or Twitter. Going to be interesting to find out what's actually causing this to happen.

Happened to me this morning on TechCrunch!

This just happened to me on ft.com

This just happened to me on businessinsider.com, I was wondering why Chrome downloaded a .torrent file.

Happened to me at a blog site. I was wondering too what caused the random torrent download.

Happened yesterday on www.spiegel.de and again just now at a random weblog.

platform.twitter.com resolves to 68.232.35.139.
Name: cs107.wac.edgecastcdn.net
Address: 68.232.35.139
Aliases: platform.twitter.com

Chrome 29.0.1547.76 m on Windows 8.

I have encountered the same on my Wordpress blog; all Twitter buttons cause this behaviour.
I have removed Twitter integration from my WP site until the matter is resolved.

This is still going on at a site I'm developing on as of 10:30 AM American/New_York EST time

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.