Twitter button problem causes "torrent download" confusion - here's what happened

Filed Under: Featured

A few Naked Security readers recently said, "When I read your articles, sometimes a torrent download window pops up. Is this dangerous? Should I be concerned?"

"Torrents" are files shared via the BitTorrent peer-to-peer file sharing system, and they are often associated with piracy and dodginess, so those are pretty reasonable questions.

And Naked Security's own downloads (e.g. technical reports and podcasts) are served up using HTTP, not BitTorrent, making the questions doubly pertinent.

As far as we're aware, this was a mistake by Twitter.

It was confusing, and mildly alarming, but there nothing dangerous - just a file served up in the wrong way.

Here's what seems to have happened.

Usually, our articles have a little "Tweet" button that you can click on to retweet them.

The Tweet button itself comprises an HTML file with the name widgets/tweet_button.html, and when your browser requests that file, Twitter is supposed to send it back directly.

The file includes some JavaScript to deal with the retweeting, some stylesheet formatting data, and an embedded image containing the Twitter birds:

When the HTML file is loaded into a browser, it combines the abovementioned elements to generate a clickable button like this:

Twitter's mistake appears to have been that its servers sometimes returned a "torrent" link to the HTML file, instead of the file itself.

This caused your browser to pop up a download window instead of displaying the "Tweet" button.

If you had a Torrent downloader installed and had let it go ahead, then the HTML file you were expecting would have been fetched, with the JavaScript, stylesheet and image data inside.

I don't recommend trusting unexpected torrent downloads, but that is what would have happened: uselessly, of course, and incorrectly, but harmlessly.

But why a "torrent" link, all of a sudden?

As far as we can tell, Twitter uses BitTorrent to distribute files between the servers in its content delivery network, from where they are supposed to go out as regular files.

It seems that for a short while, Twitter very occasionally served up the "torrent" flavour of the file by mistake, not the HTML one.

Lots of websites were affected, not just Naked Security.

As I said above, this download behaviour was incorrect, and useless (though harmless); but as some of our readers found out, it was also somewhere between annoying and alarming.

Twitter has apparently fixed the problem now; we've also removed the "Tweet" button from our article pages for the time being.

Our apologies for any confusion.

We hope this article assuages any concerns.


The Naked Security Crew

, , ,

You might like

3 Responses to Twitter button problem causes "torrent download" confusion - here's what happened

  1. questions everything · 738 days ago

    So, you just let it slip that twitter uses bittorrent for it's CDN...

    Does that not introduce new venues of attack?

    • markstockley · 738 days ago

      Twitter let that one slip a few years ago if I recall correctly, it's certainly not a secret.

      Whilst knowing anything about a company's infrastructure is potentially useful to an attacker I don't think this is especially useful information. AFAIK the use torrent to propagate data between servers within their own network which makes a lot of sense - servers will update themselves from neighboring servers that have what they want. They'd have to use *some* protocol to do that and at least it's not FTP!

  2. Nigel · 738 days ago

    Thanks for the clear explanation!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog