Twitter URL spoofing still exploitable (Updated)

A couple of days ago ly_gs Security Blog has published an interesting post detailing how someone can subvert Twitter’s URL shortening service in order to spoof URLs in a tweet. With ly_gs technique one could post a tweet with a link that, for instance, shows as Capital One’s web page, but when clicked redirects to an attacker’s web site instead. Ly_gs blog has stated that twitter has closed the hole, but a couple of hours ago, as I played around with the ty_gs’ discovery I found out that this isn’t completely true.

Ty_gs way of exploiting this flaw might have been patched, but tweaking it just a little bit makes spoofing URLs in twitter still possible. In other words, the flaw still exists. The following tweets are examples of spoofed URLs in twitter posted after twitter has alegedely corrected the flaw:!/pabloximenes/status/118496446264782848!/pabloximenes/status/118487078941102080

The first tweet shows CapitalOne’s url, but instead takes the user to my blog. The second tweet does the same for Banco do Brasil’s web page (a Brazilian bank).

Well, the technique to do this is very close to ly_gs’ and smart people will be able to figure it out just by taking a closer look at my example tweets. Since the vulnerability is already disclosed by ly_gs’ blog, I might eventually add the full details here for the lazy (when I have the time). The only thing I really wanted to point out here is that Twitter hasn’t really corrected the flaw yet.


UPDATE 1 (09/27/2011):

Twitter has aparently taken notice of this problem and has issued a complete fix this time. Kudos to their response team! They might not tackle the whole thing at one, but they sure are fast.

Now my example tweets only show the original links I have used to exploit the flaw. Let me briefly try to explain what they did. Twitter’s service has an interesting beavior. Whenever you post any URL in a tweet, twitter shortens it using, but also do a sort of url spoofing of their own: the show you your original link, but when you click on it you’re actually clicking the link (which will take you to the orinal url anyway). If you try to copy the link embedded in the tweet and post it in a different tweet (the raw link), twitter will replace it with the spoffed version regardless, so it again shows your original url but beneath the actual link is’s version. Using ly_gs’ discovery with this twitter own spoofing scheme, you could spoof URLs even after twitter has corrected ly_gs version of the exploit. All you needed to do is to post the two URLs (the one you want to be showed and the one you want it to be the actual link), copy the’s links for both, and apply ly_gs’ exploit using the’s links (just like it shows in my example tweets as of now). For reference (and a little bit of amusement) purposes, I have posted a video of the actual live exploit using one of my example tweets before twitter’s correction, which you can see below.

UPDATE 2 (09/27/2011):
Aparently, Twitter’s fix for this issue was done by disbling their own url spoofing. Ususally when someone posts a link in a tweet the link remains visually like the original, but beneath it is actually using According to twitter’s help center:

How the Link Service Works

  • Links shared on will be shortened to a link.
  • You’ll see the message “link will appear shortened” next to the Tweet button; however, these links will display the site that a link directs to, instead of a URL.
  • All links included in Direct Message notification emails already pass through our link service and are converted to a link.
  • Please note: links are neither private nor public. Anyone with the link will be able to view the content.

So, in order to fix the problem, twitter has disabled the part that displays the original URL instead of’s. What should we do if we want to have their own URL displaying in a tweet? Post just the text without a link? And in terms of security that doesn’t help either. Now a user won’t be able to distinguish one URL from another (since everyone is htp:// OK, there is still the mouseover thing that displays the end target, but how many user do you thing actully check that before clicking on a link.

Come one, twitter, give us that service back!

UPDATE 3 (09/27/2011):

Twitter is back to normal, urls are not showing as’s links anymore and the spoffing thing is fixed also. But friend @ly_gs has found some pretty neat new tricks.

Esta entrada foi publicada em Outros e marcada com a tag , , , , , , . Adicione o link permanente aos seus favoritos.

5 respostas para Twitter URL spoofing still exploitable (Updated)

  1. Mario Vilas disse:

    It may possibly be a temporary patch while they work on the underlying cause. Twitter is big enough a company to have to wait for all sorts of bureaucratic red tape before making significant changes to their service – not to mention the delays of development and testing alone in a high availability service.

    Don’t be so hard on them, let’s wait a few days and see 🙂

  2. Carolyn Penner of Twitter has said they they will be restoring the functionality “soon.”

  3. Pingback: Twitter URL spoofing still exploitable (Updated: fixed, but breaks … - Ad Tool, Information, Keywords -

  4. sleectapets disse:

    sleectapets.[url=]replica herve leger[/url] .sleectapets.[url=]herve leger dresses uk[/url] .sleectapets[url=]china curtain rod[/url] .

  5. Reuldexitesse disse:

    How To Identify Ultram [url= ]Butalbital Medication Overnight[/url] Zoloft 50mg Side Effects Selective Serotonin Reuptake Inhibitors Pentasa Drug Class Inflammatory Bowel Disease Using Aloe Vera For Weight Loss Examples Of Writing Prednisone Pharmacy [url= ]cheap online order sibutramine[/url] Parafon Forte Dsc Muscle Spasm Interactions With Zoloft Suicidal Thoughts Clomid No Follicles Mg Symptoms Of Xanax Addiction St John’s Wort [url= ]metrogel next day cod fedex[/url] Imodium Fashion Focalin Weight Loss Ritalin La Normal Blood Pressure For Teen Does Provera Prevent Pregnancy Lining Of The Uterus Molar Mass For Citalopram [url= ]order fexofenadine free shipping[/url] Signs And Symptoms Of Type Ii Diabetes Medications Break In Half Vicodin Hydrocodone History Of Triphala Churna Remidies For High Blood Pressure [url= ]purchase terbinafine on line without a rx[/url] Fda Black Box Warning Levaquin Rotator Cuff Flagyl And Anaerobes Ibuprofen Increases Soft Tissue Infections In Children Necrotising Fasciitis Causes Infectious Arthritis [url= ]order penicillin mail order[/url] Effects Women Testosterone Deficiency Oriflame Skin Care Psoriasis Eczema Metronidazole Child Information Keppra Drug Side Effects Prometrium During Trimester My First Uspstf Screening For High Blood Pressure

Os comentários estão fechados.