Twitter May Be Used to Host Random Content

Fact: Twitter uses Amazon’s S3 AWS to store user images.
Fact: Twitter apparently only checks the file extension to determine the file type of uploaded images, not an image library or a method that checks for binary image data.
Fact: This can be used (or abused) to obtain un-metered free hosting of files that are less than 800K in size.

How is it done? A user can rename any file with a ‘jpg’ ‘gif’ or ‘png’ extension and upload it as their background image on a dummy Twitter account.

Then they can simply grab the URI of the “image” from the inline CSS declarations. Since the file is believed to be an image, it is uploaded and stored with no changes. The URI will point to a file having an image extension, but non-image content.

A good application of this is using Twitter’s AWS account to host javascript files. Simply enter the URI as the “src” attribute in a script tag like so:

<script type="text/javascript" src="http://s3.amazonaws.com/twitter_production/profile_background_images/151911/my_javascript.jpg"></script>

For high-traffic websites that use large javascript files, this could save a considerable amount of bandwidth. Amazon’s S3 acts as a CDN as well, so this might also improve performance.

There are some ugly security implications of this, however. Many web-based exploits use unaware 3rd-party hosts to serve up malicious javascript files.  This is particularly troubling since other types of files can be uploaded (exe, swf, mp3, etc). Unless they want their Amazon S3 storage account to become a free data repository for the bad guys, perhaps Twitter should be a bit more prudent with their user-submitted data.