My life with ActionScript, JavaScript and their families
I recently found, that vimeo.com had a cross-domain policy, that allowed anyone to connect, which was an open invitation for CSRF attacks. I alerted them to the issue, and it has now been fixed.
The twenty-eighth idea for my 365 social ideas is about the open web and about “forcing” classic websites to export their data. Imagine sites with lots of useful information, that is frequently updated, but is hidden away behind forms, in PDF’s or in hard-to-scrape tables. Then imagine a website, where you could provide this address, and give it some guidance as to how to input data in forms and how to interpret the results. And then imagine, that this website would act as a proxy with this interaction described as a simple, queryable API and then behind the scenes would fetch data from the original website.
Comment » | API, January 2010 Ideas, Online Rights, Security
The sixth idea for my 365 social ideas is more about social web principles than an actual idea. And then again, it is an idea to establish a new code of conduct and standards for a Password-friendly Website Certificate. “Certificate” should be taken lightly, as it is merely two very simple question for website owners to answer: Do you really need to ask users for a password? And if you do, do you then salt my password and then one-way encrypt it before storing it anywhere? The first is of course the better, but the latter is necessary if you do actually ask me for a password.
I just saw a link on Facebook, that I somehow had to interact with – it featured a not-that-dressed girl and said “Wanna C Something Hot?”/”Want 2 C Something Hot?” or variations of this. Well, clicking the link sent to me to an external site featuring a single button and the same image urging me to click it. When clicked, I came to some porn site. But why would several of my friends post links to this site, which incidentally sent me to a porn site? Well, as I soon after saw on Facebook, I had just posted the same link on my wall for all my friends to see. How?
It is a “simple” case of “click-jacking” and the site tricks you to click a Facebook share button, but disguises this as some other button. Please read on for full description.
UPDATE 2009-12-2: “Press the button or dog dies”/”Push the button or this dog dies” (located at pressthebuttonordogdies.com, but don’t go there) is a new such site. The target website is “thisblogrules.com” and the measures used are a little different but all in all the same anyway.
Furthermore, I have used bit.ly for tracking how much these links have been used so far on Facebook – it is pretty inflicting: The “hot” girl has been shared almost 59,000 times and the poor dog has been shared 5,309 times as of this writing. You can see the direct stats from the Facebook link.getStats API here: Somthing Hot and Or Dog Dies
After having written about the inner workings of SnapABug, I have now looked a bit further into signed applets and their permission levels. And the conclusion is, that the trust question is stupid.
SnapABug did the right thing, the only thing they could do. Untrusted (unsigned) code lives in a special sandbox and cannot use functions outside of this sandbox. The end user can change how much this sandbox has access to, but it is not trivial and the normal user would never touch that with a pitch fork. Trusted code lives in another sandbox with almost infinite possibilities. The end user can limit this sandbox too, but again almost no end user does that.
I just saw the SnapABug website, and was quite impressed, until I actually tried to submit a bug. Unrestricted access to my computer, why would I grant that to an unknown applet? And why do you even require unrestricted access to all files etc. on my computer to create a screenshot?
Well, I delved into the application and found the answers – they could of course have done with a more restrictive permission.
And for once, I am not talking bad about our company clients, but the clients in a client-server architecture.
Flash memory cheats have always been known to any good flash game hackers and ditto developer, but some still don’t know about them. Thus, as shoemoney recently posted a competition to get the best score in Desktop Tower Defence, “some guy” of course fired up Tsearch and throw a lot of points his way. The result was of course, that he won (even though he cheated), and afterwards he posted a simple guide to do it.
That is why should should always have a server telling you what to do when. More on this topic in the months to come – as I and a friend is developing a brand new game site including high-level security.