We were analyzing some HTTP traffic for a presentation at an University here in Brazil when we noticed something odd — TCP request to http://bit.ly/huVV5 . So we noticed that this website was referred in someone’s post to Twitter. Since I didn’t click or call that website, WHY did I send a GET request to that link?

My first clue was my so called “Twitter Client”, the well-known “Twitterfox“. By monitoring its activity, I noticed that it will deliberately attempt to connect to a URL shortening service site in order to obtain “automatically extract” that URL.

The “Twitter Post” that generated that behavior is listed below:

Typo3(reported as critical):Crash with DBAL (- TYPO3 Core -) http://bit.ly/huVV5

From a wireshark‘s (tcpdump utility) console:

GET /huVV5 HTTP/1.1
Host: bit.ly
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

HTTP/1.1 301 Moved Permanently
Server: nginx/0.7.42
Date: Mon, 25 May 2009 02:55:16 GMT
Content-Type: text/html;charset=utf-8
Connection: keep-alive
Content-Length: 133
Location: http://bugs.typo3.org/view.php?id=11176
Allow: GET, HEAD, POST

This resource has permanently moved to <a href='http://bugs.typo3.org/view.php?id=11176'>http://bugs.typo3.org/view.php?id=11176</a>.

What I did next was posting the same information on bit.ly in order to test the same behavior:

@spookerlabs test for research dont click =) http://bit.ly/aaaaaaaaaaaaaaaaaaaaaaaaa

And here what I got from a wireshark’s tcpdump perspective:

GET /aaaaaaaaaaaaaaaaaaaaaaaaa HTTP/1.1
Host: bit.ly
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/0.7.42
Date: Mon, 25 May 2009 03:10:09 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Status: 404
Allow: GET, HEAD, POST
Content-Encoding: gzip

We have changed our test scope to use TinyURL shortening service (remember: tinyurl is not listed as an auto-extract service).

@spookerlabs test 3 and final I hope http://tinyurl.com/OPAOPA

And twitterfox again attempted to extract the URL via an asynchronous call:

GET /OPAOPA HTTP/1.1
Host: tinyurl.com
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

HTTP/1.1 301 Moved Permanently
X-Powered-By: PHP/5.2.9
Location: http://www.erofilehost.net/?id=501
Content-type: text/html
Content-Length: 0
Connection: close
Date: Mon, 25 May 2009 03:18:43 GMT
Server: TinyURL/1.6

Of course when we used a regular URL such as http://www.nstalker.com and http://www.spooker.com.br nothing happened since it’s a regular domain.

The curious thing is that twitterfox will attempt to “resolve” that URL on a “stealthy way” and there is absolutely no options to enable/disable auto extract feature. So it will of course give us something to think about:

1. How secure is to use twitter fox: Will URL shortening services be able to figure out who am I following or what am I doing by just follow my attempts to resolve URLs?
2. Can auto-extract condition be exploited in such a way that it can be used as a XSRF attack vector?

Twitterfox is an excellent tool but the lack of configuration options is certainly something that will count if you are looking for a secure “Twitter client” implementation.

Follow us on twitter: http://www.twitter.com/nstalker

N-Stalker Research Team

UPDATE: According to Mr.Jeronimo Zucco and our own research, Twitterfox code is strictly forbidden access to other URLs different than URL shortening services, which means a XSRF problem is mitigated (unless a URL shortening services itself is a target of the attack). The question about tracking your twitter usage is still remaining, however, this is also an issue for all URL shortening services and not a twitterfox isolated problem.