Archive for the 'Script' Category

Strava “API” and privacy leaks.

Monday, July 8th, 2013

I previously had some pages which used the Strava API to do useful things for me, the one I used most was seeing who rode climbs together, it simply used the API to see everyone who rode a segment and then tracked their start times so you could see who was riding with who. It was also really useful to see changes in time between groups in a race. ie the break started a lap 2 minutes ahead and then next lap only 1 minute.

Strava killed their previous API though, and despite an initial promise from them for me to have access to their new API if I agreed to remove their embarrasing GPX export service which revealed the private zones of peoples rides, I never got access, they just stopped emailing. (The privacy flaw was in their export, not in anything I did…).

I’m stuck here now without access to the useful features, so I’ve started looking for a replacement. I don’t have access to their new APIs, and in fact I don’t think I’d bother investing the time in them anyway, once bitten… But I started looking at the services they use to populate the pages themselves. An immediate thing hits me, their page API allows access to private activities.

Accessing private activities

Here’s a private run of mine, you won’t be able to see it, however here’s a JSON file of the exact run. So as long as you know the ID of a users ride, you can get all the info about it. It also completely ignores the privacy zones you have configured when exporting a private ride. A public version the same as the last run this has a privacy zone (it’s only hiding a sports club which is the start for these races, it’s not my house!) and you can see from exporting this one that the points within the privacy zone are reset to 0,0 rather than the actual lat/lon. Yet on the fully private activity, those same points were available, private activities actually provide more risk to revealing your location than public ones.

Private rides are just security through obscurity, and the ID’s aren’t even that obscure, don’t give Strava data that you actually want private.

Distances within privacy zones are provided

Another privacy flaw here is that while the lat/lon’s on public rides in your privacy zone are hidden, the distances you travel for each of those points in the private zone are not, so it’s a pretty easy algorithm to get back to very close to the start of your ride/run unless you do some laps inside your zone or something similar to obfuscate it. Altitude is also provided for the points within the zone, so that may reveal more for those of you who don’t live in flat lands.

Strava Lack of time?

Strava have repeatedly said their reason for not supporting old API’s or for providing access to the new API is lack of time. I guess I can now believe this, as they don’t even appear to have the time to invest in even basic honouring of their privacy assurances. I did try emailing them before publishing this, and then tried twitter but still no response.

Exporting GPX from Strava

Monday, September 5th, 2011

I knocked up a greasemonkey script to get GPX routes out of Strava, to help you know exactly where the segments start and finish. The script lets you Export GPX rides and segments from Strava. At the moment it’s very rudimentary with just the route being created. It would be quite easy to add way markers or course points to it to highlight when you were approaching the start or finish of a segment, but for now I just kept it super simple.

Widgets!

Tuesday, April 25th, 2006

I’ve been creating things that are lot like what are now called widgets for a long time, HTML+Javascript applications with full trust. I’ve always used something called Zeepe which turns IE into a fully trusted containier that you can launch locally (or even from the web, if you’ve got a licence and use the trust model).

Zeepe is much richer than other widget platforms on windows currently, not least because it allows complete connection to all windows COM objects - so you really can connect to anything, I use it for automating Windows Media Encoder and recording video streams, or as a Database management tool. I don’t know how capable the OS-X dashboard is, it may well be able to do similar stuff, but until there’s a powerbook with a nipple and release IE6 for OS-X I’ll stick with XP.

The widget system from Opera is new, last week at the gathering Opera ran a widget competition, and lots of widget folk arrived in #svg on freenode asking how to use all that cool opera SVG in the widget. I had a couple of hours so I decided to join in and create a quick widget.

Another cool thing that Opera have is the My Opera FOAF data they provide for everyone, so in a foafnaut kind of style, I decided to create widgnaut, a browser of the data. It’s very ugly but it shows some nice features of widgets and RDF and how easy such connections of data can be made once you escape the security constraints of browsers, but still use all those easy HTML/javascript features.

Opera Widgets currently have a few problems, which make the sort of widgets I like to create not really viable, the 2 big ones are:

  • You can’t decide where to position your initial widget, or control its location, this means widgets like widgnaut which really need full screen rely on the positioning it in a particular place.
  • The screen darkens! This just seems very silly, I can’t understand the use case for this at all, if I want a widget, it doesn’t mean I don’t want the other stuff on the screen. A calendar widget, I still need to copy info to my other applications, once they’ve gone dark, I can’t even access them, let alone anything else. This didn’t happen on builds earlier than the Beta, so hopefully it will go away again.

Opera widgets are still good though, easy to create, and useful, just not quite ready for my perhaps odd requirements.

Google Flaw not fixed, GMail contact stealing demo

Monday, April 10th, 2006

Despite the flaw being announced a long time ago, the google Book search flaw is still broken. It’s surprising that Google aren’t taking it more seriously, this one is very easy to use to automate a users GMail account, stealing contacts, or sending email if they are logged into google when they’re tricked into visiting such a page.

Here’s an example that will list your gmail contacts List your gmail contacts

There’s no reason why a page cannot also send emails, steal the contents emails or anything else. Given the length of time this has been public (I didn’t find this flaw, it was posted to bugtraq on the 4th April, or 6 days ago) it’s very possible that a worm that stole GMail information is already circulating. Disable script on google.com!

The script that gets the contacts is trivial:

function x() {
	xmlhttp = new XMLHttpRequest();
	xmlhttp.open("GET","http://mail.google.com/mail/?view=page&name=contacts&ver=e0ad439ebad5ad16",false);
	xmlhttp.send('');
	return xmlhttp.responseText;
}

the x function then contains a json structure containing the contacts, this can be easily changed into the output format with some simple regular expressions: see test6.js for those and the complete included script. The livehttpheaders extension in FireFox is how to find out how to do other things.

Yet More Google Security Failures

Monday, April 10th, 2006

Google are still failing to keep even their flagship google.com domain secure from Cross Site Scripting attacks, others it allows arbitrary code insertion into google.com.

See googles new pay search service (Not really of course, just my credit card form!)

The flaw appears to be in failing to clean the characters in a book result search, It’s a trivial flaw, that every google employee should know about, the same class of flaws keeps getting produced, Google developers, and google testers would appear to be uninterested in security, not even bothering to test flaws that they’ve found before.

The PING attribute

Friday, January 20th, 2006

Firefox have decided to implement the PING attribute, the idea of it is to ensure that what people click on can be tracked with minimum impact on the user. Currently tracking is done by a link to a url which then redirects to the correct site. This takes a fraction of a second, but it does take time, and if the middle site is down the user can’t get through to the end site, even if it’s up.

The PING attribute attempts to solve this by moving the tracking from the critical path into a seperate attribute which the browser POSTs to when the user “follows the hyperlink”. This feature also allows one new piece of functionality, the ability to track links within pages so <a href=”#’top” ping=”http://jibbering.com/tops”> would allow me to track how many times people used goto to top links.

The use case described in the documentation is “allowing advertisers to track click-through rates without obscuring the final target URI”. It also stresses that following the ping’s are optional, this has an important fact for anyone actually deploying adverts, if you use ping rather than the current reliable tracking methods then they will no longer be counted as a click-through. So if your ad agency changes to ping, you will lose clicks that you’re entitled to. I don’t know of any online Ad agencies which are planning to use ping, but the WHAT-WG specification is controlled by a Google employee.

Of course reputable Ad agencies have their click-throughs audited by independant auditors to ensure they are accurate, so any that switch to ping will soon be forced to switch back to ensure the results - and therefore the monies are accurately reported. It’s clear the use case described by the WHAT people is not met by the attribute, the only other use case mentioned is “track which off-site links are most popular”, hardly a particularly important use case, but if there are no downsides to the method, then does it matter?

Unfortunately there are downsides, existing tracking methods must end up at the site the user expects to go to, otherwise they’ll be annoyed, this method you can ping any site, for example
<a href=”http://jibbering.com” ping=”https://bugzilla.mozilla.org/duplicates.cgi?maxrows=10000″> would ping a bugzilla page that causes a lot of processing on the remote server, and returns a lot of data. So this sort of simple Denial of Service method is made easy, users will never know it’s happening all they’ll just see a big slowdown in their connection as it spends its time requesting pointless resources. Then there’s the up-counting of clickthroughs itself, copy the ping attribute from your google advert onto your other links, then any link a user leaves the page from an advert click is clicked, this is hard to track as the ad provider is completely outside the link the only way to check is to see if the recieved links match the sent links.

Like much of the WHAT-WG proposals (but not all), this is a poorly thought out proposal and it’s disappointing that the browser vendors are not meeting it with the critical inspection they would any other proposal. PING fails to meet its own use cases and it introduces lots of potential for abuse, if you’re creating a user agent and thinking of implementing this - think hard about what it could be used for?