490 items tagged “security”
2009
moot wins, Time Inc. loses. The Time.com poll hack was more sophisticated than I first thought... Time implemented reCAPTCHA half way through the voting period, but the 4chan community fought back with a custom interface that crowdsourced the job of voting and let individuals submit up to 30 votes a minute.
OAuth Security Advisory 2009.1. It’s a show-stopper: an attacker can start an OAuth permission request flow from a consumer site, then trick another user from the same site in to completing that flow and hence authorising the attacker to act on their behalf. A fix to the spec is forthcoming; in the meantime, don’t start an OAuth flow from an untrusted location.
Inside the precision hack. How 4chan members subverted a Time.com online poll to reorder the options and spell out their own message. Partly poor application design from Time (the first version used a GET request without input validation), but I challenge anyone to design an anonymous online poll that can’t be fixed using the more sophisticated techniques 4chan eventually deployed based on HTTP proxies.
Reducing XSS by way of Automatic Context-Aware Escaping in Template Systems (via) The Google Online Security Blog reminds us that simply HTML-escaping everything isn’t enough—the type of escaping needed depends on the current markup context, for example variables inside JavaScript blocks should be escaped differently. Google’s open source Ctemplate library uses an HTML parser to keep track of the current context and apply the correct escaping function automatically.
Amazon Says Listing Problem Was an Error, Not a Hack (via) “A friend within the company told him that someone working on Amazon’s French site mistagged a number of keyword categories, including the ’Gay and Lesbian’ category, as pornographic, using what’s known internally as the Browse Nodes tool. Soon the mistake affected Amazon sites worldwide.”
How to cause moral outrage from the entire Internet in ten lines of code. Looks legit—the author claims to have sparked this weekend’s #amazonfail moral outrage (where Amazon where accused of removing Gay and Lesbian books from their best seller rankings) by exploiting a CSRF hole in Amazon’s “report as inappropriate” feature to trigger automatic takedowns. EDIT: His claim is disputed elsewhere (see comments)
17-year-old claims responsibility for Twitter worm. It was a text book XSS attack—the URL on the user profile wasn’t properly escaped, allowing an attacker to insert a script element linking out to externally hosted JavaScript which then used Ajax to steal any logged-in user’s anti-CSRF token and use it to self-replicate in to their profile.
Pwn2Own trifecta: Hacker exploits IE8, Firefox, Safari. You just can’t trust browser security: Current versions of Safari, IE8 and Firefox all fell to zero-day flaws at an exploit competition. None of the vulnerabilities have been disclosed yet.
Understanding Bidirectional (BIDI) Text in Unicode. It turns out you need to sanitise user input to ensure there are no unicode characters that switch your site’s regular text to RTL.
Twitter Don’t Click Exploit. Someone ran a successful ClickJacking exploit against Twitter users, using a transparent iframe holding the Twitter homepage with a status message fed in by a query string parameter. Thiss will definitely help raise awareness of ClickJacking! Twitter has now added framebusting JavaScript to prevent the exploit.
Ehy IE8, I Can Has Some Clickjacking Protection? (via) IE8 has built-in protection against clickjacking, but it’s opt-in (with a custom HTTP header) and IE only. It turns out the usual defence against clickjacking (using framebusting JavaScript) doesn’t work in IE as it can be worked around with a security=“restricted” attribute on an iframe.
OWASP: XSS Prevention Cheat Sheet. Comprehensive set of rules for avoiding XSS—there’s a bit more to it than just escaping all output variables, since you have to take markup context in to account.
CSRF is not a security issue for the Web. A well-designed Web service should be capable of receiving requests directed by any host, by design, with appropriate authentication where needed. If browsers create a security issue because they allow scripts to automatically direct requests with stored security credentials onto third-party sites, without any user intervention/configuration, then the obvious fix is within the browser.
Rate limiting with memcached
On Monday, several high profile “celebrity” Twitter accounts started spouting nonsense, the victims of stolen passwords. Wired has the full story—someone ran a dictionary attack against a Twitter staff member, discovered their password and used Twitter’s admin tools to reset the passwords on the accounts they wanted to steal.
[... 910 words]Weak Password Brings “Happiness” to Twitter Hacker. The full story on the Twitter admin account hack. I bet there are a LOT of web applications out there that don’t track and rate-limit failed password attempts.
The Twitter administrator hack was a dictionary attack. I quoted Blaine earlier suggesting that the recent Twitter mass-hack was due to a Twitter admin password being scooped up by a rogue third party application—this was not the case, as Alex Payne explains in a comment.
As more details become available, it seems what happened is that a Twitter administrator (i.e., employee) gave their password to a 3rd party site because their API requires it, which was then used to compromise Twitter's admin interface.
The username/password key's major disadvantage is that it open all the doors to the house. The OAuth key only opens a couple doors; the scope of the credentials is limited. That's a benefit, to be sure, but in Twitter's case, a malicious application that registered for OAuth with both read and write privileges can do most evil things a user might be worried about.
Antipatterns for sale. Twply collected over 800 Twitter usernames and passwords (OAuth can’t arrive soon enough) and was promptly auctioned off on SitePoint to the highest bidder.
2008
Researchers Show How to Forge Site Certificates. Use an MD5 collision to create two certificates with the same hash, one for a domain you own and another for amazon.com. Get Equifax CA to sign your domain’s certificate using the outdated “MD5 with RSA” signing method. Copy that signature on to your home-made amazon.com certificate to create a fake certificate for Amazon that will be accepted by any browser.
Microsoft: Big Security Hole in All IE Versions. Looks like a 0-day that’s being actively exploited.
Yahoo! yesterday launched their new development platform for My Yahoo! and Yahoo! Mail, which uses Caja to protect users from malicious gadgets. This means Caja suddenly got 275,000,000 users. Wow! I guess this makes Caja the most widely used capability language ever.
Now You Can Sign Into Friend Connect Sites With Your Twitter ID. Great. Now even Google is asking me for my Twitter password. Slow clap. How’s that Twitter OAuth beta coming along?
Warcraft account security. Apparently Blizzard have been selling two factor authentication key fobs for World of Warcraft for about six months.
Secret Geek A-Team Hacks Back, Defends Worldwide Web. Wired’s take on the story of Dan Kaminsky’s breaking-the-internet DNS vulnerability. Horrible headline.
The March of Access Control. The W3C Access Control specification is set to become a key technology in enabling secure cross-domain APIs within browsers, and since it addresses a legitimate security issue on the web I hope and expect it will be rolled out a lot faster than most other specs.
Worst. Bug. Ever. Android phones were executing every keystroke typed in to the phone in an invisible root shell! Text “reboot” to a friend and your phone rebooted. Wow.
When visiting any Web page, the site owner is easily able to ascertain what websites you've visited (CSS color hacks) or places you're logged-in (JavaScript errors / IMG loading behavior). They can also automatically exploit your online bank, social network, and webmail accounts (XSS). Additionally, the browser could be instructed to hack devices on the intranet, including DSL routers and printers. And, if that's not enough, they could turn you into a felon by forcing requests to illegal content or hack other sites (CSRF).
.. yet another ridiculous data breach: this time, people's passwords to the Government Gateway on a memory stick dropped in the road. Perhaps it is uncouth to point this out, but... if the system had been designed by people with any security clue whatsoever there would have been no passwords to put on a memory stick in the first place.
Yahoo, Caja, OpenSocial. Yahoo!’s new application platform uses OpenSocial, and protects itself from malicious JavaScript using Google’s Caja secure JavaScript engine. I hadn’t realised that Caja was ready for production use—this is excellent news.