Thursday, January 18, 2007

Interning at Google Again

This summer, I'm going to do another internship at Google. I'll be working on Google Calendar.

Monday, January 01, 2007

Beware random CAPTCHAs found on slashdot

This CAPTCHA, found on slashdot is pretty silly. First, the HTML doesn't really provide that much security. It wouldn't be that hard to script Gecko to render the thing. Worse, it has a very insecure implementation:
if (isset($_POST['hash']) && isset($_POST['CaptchaStr']) ) 

{

 if($captcha->validate_submit($_POST['hash'],$_POST['CaptchaStr']))

  $Message = "Correct.";

 else

  $Message = "Incorrent.";

}

  function check_captcha($correct_hash,$attempt)

  {

   // when check, destroy picture on disk

   if(file_exists($this->get_filename($correct_hash)))

   {

    $res = @unlink($this->get_filename($correct_hash)) ? 'TRUE' : 'FALSE';

    if($this->debug) echo "\n
-Captcha-Debug: Delete image (".$this->get_filename($correct_hash).") returns: ($res)"; } $res = (md5($attempt)===$correct_hash) ? 'TRUE' : 'FALSE'; if($this->debug) echo "\n
-Captcha-Debug: Comparing public with private key returns: ($res)"; return $res == 'TRUE' ? TRUE : FALSE; } /** @private **/ function get_filename($public='') { if($public=='') $public=$this->public_key; return $this->tempfolder.$this->filename_prefix.$public.'.jpg'; }

So, here are a few bad things you can do

  • If your OCR can read 1/2 the chars on the page, the md5sum lets you crack the others. Really quickly
  • Forget OCR. It doesn't check that the server itself generated the hashes. Hash "apple" then submit the hash and the word "apple".
  • There are no checks for duplicates. You can solve one captcha and submit it 1000000 times.
  • You can delete any jpeg file on the website, due to the non-checking of the hash for the word ".."
  • You can fill up the dude's disk by requesting lots of captchas but not solving them

Don't trust this kind of script!

Posting Zero-Day Scripting Exploits

It's really sad to see people posting zero day exploits for large applications, such as this GMail exploit. First, it's not clear what this guy's motives are. Maybe he wants to get slashdotted so that the ads on his page will get clicked due to the massive number of visitors. He might also want to get a bit of fame, which is easier to do if you post a zero-day issue and then get it slashdotted.

Maybe he just wants the security issue fixed as fast as possible, and having notified the Google security folks is unsatisfied with their response time. If that's the case, I think he was very irresponsible in the posting of the exploit. First, it's new year's day. That means response time from any website is going to be slow. Thus, it will take longer to get something pushed out. Why not publish something like this on a weekday, when people are at work? The issue will be fixed faster, and slashdot traffic will be higher (more ad clicks, more fame!).

It's also worth noting how dangerous such zero-day issues are. Spammers could do quite a bit of damage in a short amount of time (even if it was open for an hour or two). Spammers likely have (or will acquire) pages that get a fair number of clicks (domain landing pages and porn sites are likely good candidates for this). A zero day exploit could easily let them gather some great data for spamming (Imagine being able to send out an email to somebody from one of the people on their contact list, including the full name of the person! It's a spammer's dream come true).

With all that said, I think the use of JSON for things like sending contact lists is becoming a large danger. I've found and reported similar issues to Google and Facebook in the last month. I bet lots of web 2.0 sites have the exact same issue. There are two easy and secure ways to fix the issue

  • Use a secret token. For example, make the url something like google.com/contacts?tok=asdfasdfasdfasdf. Make the tok a per-user string (like a HMAC of their username). If the tok isn't correct, deny the request
  • Rely on XmlHttpRequest. Insert the following code at the top of the JS document "while (1);". Using XmlHttpRequest, download the code, and remove the token. People trying to use a script tag to include the document won't be able to do so.