STE WILLIAMS

A few Naked Security readers recently said, “When I read your articles, sometimes a torrent download window pops up. Is this dangerous? Should I be concerned?”

“Torrents” are files shared via the BitTorrent peer-to-peer file sharing system, and they are often associated with piracy and dodginess, so those are pretty reasonable questions.

And Naked Security’s own downloads (e.g. technical reports and podcasts) are served up using HTTP, not BitTorrent, making the questions doubly pertinent.

As far as we’re aware, this was a mistake by Twitter.

It was confusing, and mildly alarming, but there nothing dangerous – just a file served up in the wrong way.

Here’s what seems to have happened.

Usually, our articles have a little “Tweet” button that you can click on to retweet them.

The Tweet button itself comprises an HTML file with the name widgets/tweet_button.html, and when your browser requests that file, Twitter is supposed to send it back directly.

The file includes some JavaScript to deal with the retweeting, some stylesheet formatting data, and an embedded image containing the Twitter birds:

When the HTML file is loaded into a browser, it combines the abovementioned elements to generate a clickable button like this:

Twitter’s mistake appears to have been that its servers sometimes returned a “torrent” link to the HTML file, instead of the file itself.

This caused your browser to pop up a download window instead of displaying the “Tweet” button.

If you had a Torrent downloader installed and had let it go ahead, then the HTML file you were expecting would have been fetched, with the JavaScript, stylesheet and image data inside.

I don’t recommend trusting unexpected torrent downloads, but that is what would have happened: uselessly, of course, and incorrectly, but harmlessly.

But why a “torrent” link, all of a sudden?

As far as we can tell, Twitter uses BitTorrent to distribute files between the servers in its content delivery network, from where they are supposed to go out as regular files.

It seems that for a short while, Twitter very occasionally served up the “torrent” flavour of the file by mistake, not the HTML one.

Lots of websites were affected, not just Naked Security.

As I said above, this download behaviour was incorrect, and useless (though harmless); but as some of our readers found out, it was also somewhere between annoying and alarming.

Twitter has apparently fixed the problem now; we’ve also removed the “Tweet” button from our article pages for the time being.

Our apologies for any confusion.

We hope this article assuages any concerns.

Yours,

The Naked Security Crew

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/NpUVPeKP-0Y/