Twitter changes shortener as loophole aired
Those with a keen eye may have noticed that Twitter has been tinkering with how it shortens links, by changing how they appear in tweets for a brief period overnight.
(Screenshot by Michael Lee/ZDNet Australia)
About six weeks ago, the microblogging platform began to shorten URLs to a t.co link, but display a shortened version of the URL to identify where users would be directed to instead of the t.co link. In doing so, users could see where they were being directed and Twitter could compare the original URL against a list of known dangerous sites to protect users, and also generate statistics on how often links are clicked.
However, for a period last night, Twitter began displaying all shortened URLs as t.co addresses, meaning users were unaware of what sites they could be visiting. Twitter employee Carolyn Penner wrote on her Twitter account: "t.co links are showing rather than the 'prettier', useful version. This is temporary. We'll fix soon".
Earlier this week, two security researchers from Brazil and the Netherlands, Pablo Ximenes and ly_gs, said that they'd discovered they could undermine the security that Twitter's shortener was meant to provide. By crafting certain URLs in tweets, Twitter's shortener could be fooled into displaying one link, such as a banking site, but redirect to another, such as a malware-laden site that hadn't yet been identified by Twitter as dangerous, or for mischief.
The flaw worked due to the way that Twitter handled semicolons and directory traversals when shortening URLs, according to the researchers.
Ly_gs wrote on his blog: "Nyan.cat shortened by t.co becomes: http://t.co/nvv62gQ. So if I made a tweet containing the following link: http://twitter.com:../../../nvv62gQ, the tweet would show twitter.com but would actually send me to the nyan.cat domain."
While the loophole appears to have been closed, Ximenes had created a video of the exploit when it was working, showing one of his tweets that had a link to a US credit card site, but that actually directed to his blog.
Twitter has since brought its shortening service back online and no longer appears to be vulnerable. The microblogging service had not responded to requests for comment at the time of publication.