Skip to content

@gregclermont /normal response
Created

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
When platform.twitter.com resolves to 68.232.35.139, the request returns a torrent file
$ dig platform.twitter.com
; <<>> DiG 9.8.3-P1 <<>> platform.twitter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23125
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;platform.twitter.com. IN A
;; ANSWER SECTION:
platform.twitter.com. 22 IN CNAME san.twitter.com.edgekey.net.
san.twitter.com.edgekey.net. 9701 IN CNAME e5903.g.akamaiedge.net.
e5903.g.akamaiedge.net. 12 IN A 23.50.177.224
;; Query time: 49 msec
;; SERVER: 192.168.5.1#53(192.168.5.1)
;; WHEN: Mon Sep 23 12:53:31 2013
;; MSG SIZE rcvd: 128
$ curl --verbose http://platform.twitter.com/widgets/tweet_button.html
* About to connect() to platform.twitter.com port 80 (#0)
* Trying 23.50.177.224...
* connected
* Connected to platform.twitter.com (23.50.177.224) port 80 (#0)
> GET /widgets/tweet_button.html HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5
> Host: platform.twitter.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: no-cache
< Last-Modified: Thu, 19 Sep 2013 23:54:42 GMT
< ETag: "86e25ce34214e039e32bd33c7aaeefa6"
< Content-Type: text/html; charset=utf-8
< Date: Mon, 23 Sep 2013 10:51:43 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Connection: Transfer-Encoding
< P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
<
<[redacted]* Closing connection #0
$ dig platform.twitter.com
; <<>> DiG 9.8.3-P1 <<>> platform.twitter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29545
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;platform.twitter.com. IN A
;; ANSWER SECTION:
platform.twitter.com. 1 IN CNAME cs107.wac.edgecastcdn.net.
cs107.wac.edgecastcdn.net. 1733 IN A 68.232.35.139
;; Query time: 394 msec
;; SERVER: 192.168.5.1#53(192.168.5.1)
;; WHEN: Mon Sep 23 12:53:30 2013
;; MSG SIZE rcvd: 93
$ curl --verbose http://platform.twitter.com/widgets/tweet_button.html
* About to connect() to platform.twitter.com port 80 (#0)
* Trying 68.232.35.139...
* connected
* Connected to platform.twitter.com (68.232.35.139) port 80 (#0)
> GET /widgets/tweet_button.html HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5
> Host: platform.twitter.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Disposition: attachment; filename=widgets/tweet_button.html.torrent;
< Content-Type: application/x-bittorrent
< Date: Mon, 23 Sep 2013 10:48:41 GMT
< Last-Modified: Sun, 22 Sep 2013 15:21:48 GMT
< P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
< Server: ECS (ory/439A)
< X-Cache: HIT
< Content-Length: 301
<
* Connection #0 to host platform.twitter.com left intact
d8:announce42:http://tracker.amazonaws.com:6969/announce13:announce-listll42:http://tracker.amazonaws.com:6969/announceee4:infod6:lengthi66948e4:name25:widgets_tweet_button.html12:piece lengthi262144e6:pieces20:???? ,?aG??E????12:x-amz-bucket11:tfw-current9:x-amz-key25:widgets/tweet_button.htmlee* Closing connection #0
@MichaelAz

I can't seem to reproduce this. Could you post the torrent file returned?

If this can be consistently reproduced, this could be an interesting security threat.

@mauricesvay

Happened to me a couple of times

@tiernano

Could this be an Amazon bug? Amazon allow distributing of anything on S3 as a Torrent by adding ?torrent to the end...

@ZeissS

Cannot reproduce. I have the same IP, but do not get the torrent file.

Using Chrome from Germany, Europe.

@nicolsc

More likely an AWS S3 bug

d8:announce42:http://tracker.amazonaws.com:6969/announce13:announce-listll42:http://tracker.amazonaws.com:6969/announceee4:infod6:lengthi66948e4:name25:widgets_tweet_button.html12:piece lengthi262144e6:pieces20:≈˙ä⁄� �,‹aG¢˝E¢éfiÕ12:x-amz-bucket11:tfw-current9:x-amz-key25:widgets/tweet_button.htmlee

@manuelbua

You can reproduce it by pretending that the IP is "68.232.35.139", add this to your /etc/hosts file:

68.232.35.139   platform.twitter.com

Now performing the request via cURL:

$ curl --verbose  http://platform.twitter.com/widgets/tweet_button.html
* Adding handle: conn: 0x210c2b0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x210c2b0) send_pipe: 1, recv_pipe: 0
* About to connect() to platform.twitter.com port 80 (#0)
*   Trying 68.232.35.139...
* Connected to platform.twitter.com (68.232.35.139) port 80 (#0)
> GET /widgets/tweet_button.html HTTP/1.1
> User-Agent: curl/7.32.0
> Host: platform.twitter.com
> Accept: */*
> 
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Disposition: attachment; filename=widgets/tweet_button.html.torrent;
< Content-Type: application/x-bittorrent
< Date: Mon, 23 Sep 2013 12:31:15 GMT
< Last-Modified: Sun, 22 Sep 2013 15:21:48 GMT
< P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
* Server ECS (ory/439A) is not blacklisted
< Server: ECS (ory/439A)
< X-Cache: HIT
< Content-Length: 301
< 
* Connection #0 to host platform.twitter.com left intact
d8:announce42:http://tracker.amazonaws.com:6969/announce13:announce-listll42:http://tracker.amazonaws.com:6969/announceee4:infod6:lengthi66948e4:name25:widgets_tweet_button.html12:piece lengthi262144e6:pieces20:����� �,�aG��E��12:x-amz-bucket11:tfw-current9:x-amz-key25:widgets/tweet_button.htmlee
@mRB0

Getting it from 93.184.216.139 as well:

$ curl --verbose http://platform.twitter.com/widgets/tweet_button.html
* About to connect() to platform.twitter.com port 80 (#0)
*   Trying 93.184.216.139...
* connected
* Connected to platform.twitter.com (93.184.216.139) port 80 (#0)
> GET /widgets/tweet_button.html HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5
> Host: platform.twitter.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Disposition: attachment; filename=widgets/tweet_button.html.torrent;
< Content-Type: application/x-bittorrent
< Date: Mon, 23 Sep 2013 12:51:21 GMT
< Last-Modified: Mon, 23 Sep 2013 12:39:07 GMT
< P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
< Server: ECS (ewr/15E3)
< X-Cache: HIT
< Content-Length: 301
<
* Connection #0 to host platform.twitter.com left intact
d8:announce42:http://tracker.amazonaws.com:6969/announce13:announce-listll42:http://tracker.amazonaws.com:6969/announceee4:infod6:lengthi66948e4:name25:widgets_tweet_button.html12:piece lengthi262144e6:pieces20:��� ,�aG��E����12:x-amz-bucket11:tfw-current9:x-amz-key25:widgets/tweet_button.htmlee* Closing connection #0
</code>

Opening this news article gives me two torrent downloads in Firefox & Safari (but not Chrome) which is unfortunate.

@momchenr

Happened to me, too. This was the file contents:

d8:announce42:http://tracker.amazonaws.com:6969/announce13:announce-listll42:http://tracker.amazonaws.com:6969/announceee4:infod6:lengthi66948e4:name25:widgets_tweet_button.html12:piece lengthi262144e6:pieces20:ÅúŠÚ� �,ÜaG¢ýE¢ŽÞÍ12:x-amz-bucket11:tfw-current9:x-amz-key25:widgets/tweet_button.htmlee
@dvkch

Happened to me on a lot of blogspot website, OSX 10.8.5, latest safari for this OS

@potatono

https does not have the cached torrent result.

$ curl -v "https://platform.twitter.com/widgets/tweet_button.html"

  • About to connect() to platform.twitter.com port 443 (#0)
  • Trying 93.184.216.139...
  • connected
  • Connected to platform.twitter.com (93.184.216.139) port 443 (#0)
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using RC4-SHA
  • Server certificate:
  • subject: C=US; ST=California; L=San Francisco; O=Twitter, Inc.; CN=si0.twimg.com
  • start date: 2013-05-01 00:00:00 GMT
  • expire date: 2014-06-10 23:59:59 GMT
  • subjectAltName: platform.twitter.com matched
  • issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3
  • SSL certificate verify ok. > GET /widgets/tweet_button.html HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.5 > Host: platform.twitter.com > Accept: / > < HTTP/1.1 200 OK < Accept-Ranges: bytes < Cache-Control: no-cache < Content-Type: text/html; charset=utf-8 < Date: Mon, 23 Sep 2013 13:56:29 GMT < Etag: "86e25ce34214e039e32bd33c7aaeefa6" < Last-Modified: Thu, 19 Sep 2013 23:54:42 GMT < P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT" < Server: AmazonS3 < Content-Length: 66948 < <!DOCTYPE html>Twitter Tweet Button....
@alnjxn

Confirmed on Chrome Version 29.0.1547.76, OS X 10.8.5. Example Link
http://techcrunch.com/2013/09/19/watch-a-cat-unlock-the-iphone-5s-using-touch-id-and-the-fingerprint-sensor/

@orclev

I had that pop up the other night when I was viewing some website that I can't recall anymore. I believe it was on Windows 7 with the latest Firefox stable release. I suspected the site had simply been compromised in some way and that this was some new attempt at malware, but now I'm thinking it might be some kind of bug/exploit in either AWS or Twitter. Going to be interesting to find out what's actually causing this to happen.

@srs81

Happened to me this morning on TechCrunch!

@entropymedia

This just happened to me on ft.com

@killercup

This just happened to me on businessinsider.com, I was wondering why Chrome downloaded a .torrent file.

@ramnathv

Happened to me at a blog site. I was wondering too what caused the random torrent download.

@thessalianpine

Happened yesterday on www.spiegel.de and again just now at a random weblog.

platform.twitter.com resolves to 68.232.35.139.
Name: cs107.wac.edgecastcdn.net
Address: 68.232.35.139
Aliases: platform.twitter.com

Chrome 29.0.1547.76 m on Windows 8.

@roxlukas

I have encountered the same on my Wordpress blog; all Twitter buttons cause this behaviour.
I have removed Twitter integration from my WP site until the matter is resolved.

@bjporter

This is still going on at a site I'm developing on as of 10:30 AM American/New_York EST time

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.