[MichaelAza]

It implies downloading a file onto the users machine without user consent which is, in itself, a problem. More importantly, an attacker could craft a torrent file that exploits vulnerabilities in the torrent client. If, just by visiting a site, an attacker can download an arbitrary file onto your machine and then have it automatically opened in a known program you're in big trouble.

[simias]

I don't understand, if the user is prompted to download the file using an external application it's no different than a direct download.

If users have their browsers configured to automatically start the download of any .torrent files without confirmation, twitter giving bogus .torrent is no more dangerous than $malware_site linking a .torrent. So that's not a security issue on twitter's site.

And anyway, I still fail to see how downloading a file (through bittorent or otherwise) constitutes a security breach on its own. Unless of course the bittorent client auto-executes binaries when it's done downloading, but that's just silly (and still nothing to do with twitter's security policy).

[MichaelAza]

The flow of a (possible) attack is something like this:

1. User configures browser to automatically start torrent downloads when a ".torrent" link is clicked

2. User clicks twitt button which leads to a torrent file

3. The file is downloaded and opened in a torrent client

At this point, one could imagine a specifically crafted torrent file which exploits some vulnerability of the torrent client to gain (say) arbitrary code execution and now the user is, to use a mild term, screwed.

This attack could be used by any malicious site, really, but it's easier to get people to click a twitt button rather than some link on some site and besides, by preforming the attack this way the attacker would infect a sizable chunk of all internet sites (any site that uses the twitt button).

[tedunangst]

One could also imagine a specially crafted image file which exploits some vulnerability of the graphics library to gain arbitrary code execution. Then you just need the user to look at the twitter button.

[MichaelAza]

True, though I'd think it would be easier to exploit a torrent client than a browser.

[dmbass]

That attack vector has nothing to do with Twitter.

[MichaelAza]

Did I imply it had something to do with twitter?

When this conjecture was posted I assumed someone hijacked a CDN used by twitter and used the twitt button as an attack vector by making it redirect to a torrent file.

I'm not saying twitter is trying to infect its users or something. In all probability, it's just a configuration screw-up and not an attack but (for all we know) it could be.

[ryoshu]

The torrent file it downloads is a binary, so it's most likely an auto-open exploit.