A couple of days ago ly_gs Security Blog has published an interesting post detailing how someone can subvert Twitter’s t.co URL shortening service in order to spoof URLs in a tweet. With ly_gs technique one could post a tweet with a link that, for instance, shows as Capital One’s web page, but when clicked redirects to an attacker’s web site instead. Ly_gs blog has stated that twitter has closed the hole, but a couple of hours ago, as I played around with the ty_gs’ discovery I found out that this isn’t completely true.
Ty_gs way of exploiting this flaw might have been patched, but tweaking it just a little bit makes spoofing URLs in twitter still possible. In other words, the flaw still exists. The following tweets are examples of spoofed URLs in twitter posted after twitter has alegedely corrected the flaw:
The first tweet shows CapitalOne’s url, but instead takes the user to my blog. The second tweet does the same for Banco do Brasil’s web page (a Brazilian bank).
Well, the technique to do this is very close to ly_gs’ and smart people will be able to figure it out just by taking a closer look at my example tweets. Since the vulnerability is already disclosed by ly_gs’ blog, I might eventually add the full details here for the lazy (when I have the time). The only thing I really wanted to point out here is that Twitter hasn’t really corrected the flaw yet.
UPDATE 1 (09/27/2011):
Twitter has aparently taken notice of this problem and has issued a complete fix this time. Kudos to their response team! They might not tackle the whole thing at one, but they sure are fast.
Now my example tweets only show the original links I have used to exploit the flaw. Let me briefly try to explain what they did. Twitter’s t.co service has an interesting beavior. Whenever you post any URL in a tweet, twitter shortens it using t.co, but also do a sort of url spoofing of their own: the show you your original link, but when you click on it you’re actually clicking the t.co link (which will take you to the orinal url anyway). If you try to copy the t.co link embedded in the tweet and post it in a different tweet (the raw t.co link), twitter will replace it with the spoffed version regardless, so it again shows your original url but beneath the actual link is t.co’s version. Using ly_gs’ discovery with this twitter own spoofing scheme, you could spoof URLs even after twitter has corrected ly_gs version of the exploit. All you needed to do is to post the two URLs (the one you want to be showed and the one you want it to be the actual link), copy the t.co’s links for both, and apply ly_gs’ exploit using the t.co’s links (just like it shows in my example tweets as of now). For reference (and a little bit of amusement) purposes, I have posted a video of the actual live exploit using one of my example tweets before twitter’s correction, which you can see below.
UPDATE 2 (09/27/2011):
Aparently, Twitter’s fix for this issue was done by disbling their own t.co url spoofing. Ususally when someone posts a link in a tweet the link remains visually like the original, but beneath it is actually using t.co. According to twitter’s help center:
How the Link Service Works
- Links shared on Twitter.com will be shortened to a http://t.co link.
- You’ll see the message “link will appear shortened” next to the Tweet button; however, these links will display the site that a link directs to, instead of a t.co URL.
- All links included in Direct Message notification emails already pass through our link service and are converted to a http://t.co link.
- Please note: t.co links are neither private nor public. Anyone with the link will be able to view the content.
So, in order to fix the problem, twitter has disabled the part that displays the original URL instead of t.co’s. What should we do if we want to have their own URL displaying in a tweet? Post just the text without a link? And in terms of security that doesn’t help either. Now a user won’t be able to distinguish one URL from another (since everyone is htp://t.co/something). OK, there is still the mouseover thing that displays the end target, but how many user do you thing actully check that before clicking on a link.
Come one, twitter, give us that service back!
UPDATE 3 (09/27/2011):
Twitter is back to normal, urls are not showing as t.co’s links anymore and the spoffing thing is fixed also. But friend @ly_gs has found some pretty neat new tricks.