508 posts tagged “security”
2009
CSRF is not a security issue for the Web. A well-designed Web service should be capable of receiving requests directed by any host, by design, with appropriate authentication where needed. If browsers create a security issue because they allow scripts to automatically direct requests with stored security credentials onto third-party sites, without any user intervention/configuration, then the obvious fix is within the browser.
Rate limiting with memcached
On Monday, several high profile “celebrity” Twitter accounts started spouting nonsense, the victims of stolen passwords. Wired has the full story—someone ran a dictionary attack against a Twitter staff member, discovered their password and used Twitter’s admin tools to reset the passwords on the accounts they wanted to steal.
[... 910 words]Weak Password Brings “Happiness” to Twitter Hacker. The full story on the Twitter admin account hack. I bet there are a LOT of web applications out there that don’t track and rate-limit failed password attempts.
The Twitter administrator hack was a dictionary attack. I quoted Blaine earlier suggesting that the recent Twitter mass-hack was due to a Twitter admin password being scooped up by a rogue third party application—this was not the case, as Alex Payne explains in a comment.
As more details become available, it seems what happened is that a Twitter administrator (i.e., employee) gave their password to a 3rd party site because their API requires it, which was then used to compromise Twitter's admin interface.
The username/password key's major disadvantage is that it open all the doors to the house. The OAuth key only opens a couple doors; the scope of the credentials is limited. That's a benefit, to be sure, but in Twitter's case, a malicious application that registered for OAuth with both read and write privileges can do most evil things a user might be worried about.
Antipatterns for sale. Twply collected over 800 Twitter usernames and passwords (OAuth can’t arrive soon enough) and was promptly auctioned off on SitePoint to the highest bidder.
2008
Researchers Show How to Forge Site Certificates. Use an MD5 collision to create two certificates with the same hash, one for a domain you own and another for amazon.com. Get Equifax CA to sign your domain’s certificate using the outdated “MD5 with RSA” signing method. Copy that signature on to your home-made amazon.com certificate to create a fake certificate for Amazon that will be accepted by any browser.
Microsoft: Big Security Hole in All IE Versions. Looks like a 0-day that’s being actively exploited.
Yahoo! yesterday launched their new development platform for My Yahoo! and Yahoo! Mail, which uses Caja to protect users from malicious gadgets. This means Caja suddenly got 275,000,000 users. Wow! I guess this makes Caja the most widely used capability language ever.
Now You Can Sign Into Friend Connect Sites With Your Twitter ID. Great. Now even Google is asking me for my Twitter password. Slow clap. How’s that Twitter OAuth beta coming along?
Warcraft account security. Apparently Blizzard have been selling two factor authentication key fobs for World of Warcraft for about six months.
Secret Geek A-Team Hacks Back, Defends Worldwide Web. Wired’s take on the story of Dan Kaminsky’s breaking-the-internet DNS vulnerability. Horrible headline.
The March of Access Control. The W3C Access Control specification is set to become a key technology in enabling secure cross-domain APIs within browsers, and since it addresses a legitimate security issue on the web I hope and expect it will be rolled out a lot faster than most other specs.
Worst. Bug. Ever. Android phones were executing every keystroke typed in to the phone in an invisible root shell! Text “reboot” to a friend and your phone rebooted. Wow.
When visiting any Web page, the site owner is easily able to ascertain what websites you've visited (CSS color hacks) or places you're logged-in (JavaScript errors / IMG loading behavior). They can also automatically exploit your online bank, social network, and webmail accounts (XSS). Additionally, the browser could be instructed to hack devices on the intranet, including DSL routers and printers. And, if that's not enough, they could turn you into a felon by forcing requests to illegal content or hack other sites (CSRF).
.. yet another ridiculous data breach: this time, people's passwords to the Government Gateway on a memory stick dropped in the road. Perhaps it is uncouth to point this out, but... if the system had been designed by people with any security clue whatsoever there would have been no passwords to put on a memory stick in the first place.
Yahoo, Caja, OpenSocial. Yahoo!’s new application platform uses OpenSocial, and protects itself from malicious JavaScript using Google’s Caja secure JavaScript engine. I hadn’t realised that Caja was ready for production use—this is excellent news.
Web Security Horror Stories: The Director’s Cut. Slides from the talk on web application security I gave this morning at <head>, the worldwide online conference. I just about managed to resist the temptation to present in my boxers. Topics include XSS, CSRF, Login CSRF and Clickjacking.
From Scandinavia with Love. Finnish security company F-Secure conduct testing of wireless cell phone viruses in a walk-in Faraday cage.
Response Splitting Risk. Important reminder that you should always ensure strings used in HTTP headers don’t contain newlines.
Clickjacking and NoScript (via) NoScript CAN protect against clickjacking, but only if you enable the “Plugins|Forbid IFRAME” option.
Dealing with UI redress vulnerabilities inherent to the current web (via) The best explanation of clickjacking I’ve seen yet, complete with discussion of a number of non-ideal potential solutions. It looks like frame busting JavaScript will defeat it, but only for users who have JavaScript enabled—which means that in this case extensions like NoScript actually make you less safe. UPDATE: NoScript is smarter than I thought; see the comments.
FB App Canvas Pages: I Think I’d Use IFrames. Facebook’s Charlie Cheever explains the difference between FBML canvas pages, iframe pages and XFBML when building Facebook apps. I’m always surprised at APIs that load untrusted content in an iframe, as it seems like an invitation for frame-busting phishing attacks.
This Week in HTML 5—Episode 7: Clickjacking. Clickjacking is when a third party site is embedded in an iframe with opacity 0 and positioned such that a click on the page actually hits a button on the now invisible third party site. Mark Pilgrim explains how the NoScript site uses this in a non malicious way to for the “install now!” button.
We've found CSRF vulnerabilities in sites that have a huge incentive to do security correctly. If you're in charge of a website and haven't specifically protected against CSRF, chances are you're vulnerable.
Popular Websites Vulnerable to Cross-Site Request Forgery Attacks. Ed Felten and Bill Zeller announce four CSRF holes, in ING Direct, YouTube, MetaFilter and the New York Times. The ING Direct hole allowed transfer of funds out of a user’s bank accounts! The first three were fixed before publication; the New York Times hole still exists (despite being reported a year ago), and allows you to silently steal e-mail addresses by CSRFing the “E-mail this” feature.
html-whitelist (via) DeWitt Clinton’s web service wrapper aroud the html5lib HTML sanitiser, hosted on AppEngine.
Logout/Login CSRF. Alf Eaton built an example page (this link goes to his description, not the page itself) that uses a login CSRF attack to log you in to Google using an account he has created. Scary.
Secure mashups with dojox.secure (via) dojox.secure is brilliant and terrifying at the same time. It provides a full featured API for running untrusted JavaScript in a sandbox, by parsing and validating that code against a variant of Douglas Crockford’s ADsafe JavaScript subset. It could be fantastically useful, but it’s difficult to judge how secure this approach really is.