Today I noticed a tweet directed to me from one of my friends. I thought nothing of it except that this particular friend doesn't use Twitter very often. Of course, the first issue I noticed was that it contained only a link. That should set every user's spam-dar pinging.
 |
| Notice that MSN.com is what catches your eye. |
Once I looked at the link a little more closely I noticed one major problem. Even though this particular link was from MSN.com and looked perfectly innocuous, I noticed that it was referencing 'jj.jp.msn.com' which is their Japanese site. Here's a screenshot of the site (not that you're interested in that at all).
 |
| Yeah, Japanese MSN must be the better choice! |
Now I was curious. Obviously, I'm not going to just click the link. The tricky part here is to get the full URL without activating the link and getting whatever nastiness that's on the other side. Twitter has a built-in function which simultaneously shows the original link while also shortening it to a 't.co' redirect. This is supposed to accomplish two things. First, it allows the user to see the link being activated. Second, it reduces the number of characters in the tweet so the user can add more text. That's a very handy tool if the URL is very long.
Let's bring MSN into the mix. They have an internal feature where contributors who post articles with links can add redirects to the reference in order to capture demographics about links being clicked. These numbers allow for many types of data to be collected. The exact data being collected has not been made public but it would most likely be something related to number of clicks and general IP geolocation. Those are guesses on my part.
The first problem is with the way Twitter shows the original link to the user. As you can see above, the URL is too long and was truncated with an ellipsis (...) shown at the end. There is an 'expand' option shown but that does nothing to provide the exact link being clicked.
Getting the full URL wasn't difficult. Simply right-click on the link and copy the link URL. Then, go to your favorite URL expander and let it do the work for you. Personally, I use http://longurl.org but any of them will do the trick.
 |
| Voilà! We have the entire URL...minus the harmful bits since it's still live. From here we can see the redirect from MSN to another site being used maliciously. |
The URL in the original link has its WHOIS data masked by WHOISGUARD, INC. I'm not exactly shocked.
I used another domain in place of the malicious one to test the functionality of the redirect. Click the link below to test it yourself.
That will open another browser window and redirect from MSN to Google. This is done without any warning to the user. Go ahead, replace 'http://www.google.com' with any active website. It will work.
The security issues with this should be obvious. MSN.com overlooked this issue. It could be corrected in a matter of minutes.
I have contacted Microsoft about the issue and they have told me that they are working on it. Here is the email chain.
This attack is still active as of the posting of this article. I do not know how many other MSN.com subdomain redirects are vulnerable to this so I would suggest that any MSN.com links you receive be ignored or, at least, investigated before you go to it.
