Disclosure of Gmail security problems

http://www.codeodyssey.se/upload/resource/blog/gmail-disclosure.png

This year in February a XSS-problem on Googles login page was found by the security expert beNi. See a screendump of how this "secure" SSL-page could be corrupted, before the development team closed it down.

Google did respond to beNi and thanked him for the discovery, but he was a bit disappointed that they did not show more gratitude than what they did. I understand him. A company the size of Google should be able to show grater gratitude towards nice hackers that help them to protect their applications.

Since beNi wasn't so happy he's now saying that in the future he will not warn them before he reveals similar exploits.

So the other day he shows us proof of concept on how a criminal can get access to all contacts in Gmail and also the Google Authentication Token. These can be found on a page that generates a XML-documant. Really scary acctually. If you are online with your Gmail account you can see it for yourself by visiting the following address.

http://groups.google.com/groups/profile/contacts?max=500

beNi continues to show how this infomation can be used in an attack. For this he needed a XSS-flaw on Google and he found one rather quickly. Read his blog-post for more information and images. I have also saved a screendump of the last step in the exploit which you can see above.

So from now on we know that Gmail-information isn't really safely kept. The only thing a criminal nedd is a XSS-flaw on Google and there seems to be quite a few. I recommend you to be careful when you see links going to Google and if you're a Gmail user. If there are any doubt on the source of the link your shouldn't click it.

Personally I don't use Gmail and only have one contact there. But the fact that the Google Authentication Token can be accessed so easily makes me really nervous. I don't want anybody to take over my Google-login and start playing around with my Adsense-accounts and the other services I use.

Also read hac.kers.org who makes a comment about the disclosure.

By Jesper Lind

Cheap web hosting and email trouble

We've been having some troubles with our email, last week. Our contact form didn't work. Please try again if you contacted us and did not get any reply

This is due to that our web hosting company, Scanhost.co.uk, has been having some troubles with the upgrade of the mail servers. Only the English domain of ours has been affected, and is still not working.

But I'm sure they fix this soon. If you're looking for a cheap web host with good support I can highly recommend Scanhost.co.uk.

By Jesper Lind

More about the bad support for URL-rewrite in ASP.NET

I really love developing on ASP.NET with C# and will definitely continue using this technique from Microsoft. But everything can not be perfect. The greatest shortcoming of the framework is to me that there isn't any good native support for URL-rewriting. I have written a bit about it before.

It's especially in the IIS 6 web server that the limitations exists. In the newer IIS 7 that will be released together with the Longhorn server there will be better solutions to create rules for URL rewrites. But there are some time left until this system will be released, so that doesn't help us right now.

What you can do at the moment is to use ASAPI-filters but that postulates that you are running your own dedicated server or are on a web host that will install it for you. Jeff Atwood at Coding Horror writes more about the two most common ASAPI-solutions for IIS.

One of the greatest critics of the situation is probably Mike Schinkel. This is the guy that started the wiki.welldesignedurls.org and the companion blog which contains a lot of great resources on the subject.

On his personal blog Mike is not holding back on the critizism. In a recent post with the headline "IIS 7.0: Too Little, Too Late?" another Mike (Program Manager för Microsoft’s IIS team) enters the discussion and is expressing his regrets over the bad situation.

The first Mike is continuing in another post to make a list of all the alternative server-techniques and asks his readers which one they recommed he will switch to instead of ASP.NET.

I think it's really good that a lot of developers pays attention to the problem. Microsoft tells us that IIS 7 will not be available for Windows 2003 and that's a real pity. The new techniques are to deep related to the Longhorn system that are saying.

But who knows, after all this begging from developers perhaps Microsoft can spare some resources on it. I would be absolutely wonderful. My tip is to try to do a simpler upgrade to IIS 6 and try to make an implementation of the same URL-rewrite as in the upcoming web server. Name it something like IIS 6.5.

By Jesper Lind

Invitation to Trig

http://www.codeodyssey.se/upload/resource/blog/join-trig.png

Have you heard about Trig.com? It's a new community developed by a Swedish company and is similar to MySpace.

If you like the concept of Myspace you will love Trig. Everything is much nicer designed and more easy functionality. I have been using the beta version of Trig for some month and met a lot of fun people. It's really interesting to be part of creating a community like this from the beginning.

I have now a few invitations to give away. If you wanna give it a try just write a comment to this post and leave a valid email address. Your email will not be published on this blog but I will get it and send you an invitation.

See you on Trig!

By Jesper Lind

Security issues with Swedish news sites

http://www.codeodyssey.se/upload/resource/blog/DN-achtung.png

Some time ago I wrote about a German site that provides a list of web sites vulnerable to XSS-attacks. The owner of the site found the link and asked me to translate it into English so he could understand.

During our discussion I told him that it would be interesting to see how secure Swedish web sites are. The security expert who calles himself "beNi" asked my to make a list of some well known sites. I choosed some that were in my current memory and has been in focus lately.

News sites:

Aftonbladet.se
DN.se
SvD.se

Blog portals:

Bloggportalen.se
Twingly.se
Knuff.se

A great disappointment

I got reply from beNi and he tells me he has done some research. He only investigated DN, SvD and Twingly. The other three sites on the list loaded to slowly for him to works with (even though he has an 6MBit-connection).

He found a whole bunch of insecure pages within a few minutes. Both DN and SvD contains some holes as you can read on his blog. There are also five examples of urls showing how this issues can be abused.

Examples of XSS-vulnerabilities

This is the examples. I have also uploaded some screenshots of how the pages looks when you visit them at the moment. These links are not dangerous to visit. But if you see something similar anywhere else I would strongly suggest not to try them.

Security problem 1 - DN.se (issue secured) (sceendump)

Security problem 2 - DN.se (issue secured) (sceendump)

Security problem 3 - Koll.se (issue secured) (sceendump)

Security problem 4 - SvD.se (issue secured) (sceendump)

Security problem 5 - SvD.se (issue secured) (sceendump)

Twingly was safe from sequrity issues. The site uses ASP.NET which has a lot of build in protection. Microsoft has realised the importance of protecting against XSS and has also released special API's for protection. I will write about these at a later time.

DN that uses Java and SvD that are running on classic ASP was not so succesful in the test.

Developers must wake up

Is is quite embarrasing to see that news sites of this size doen't has complete control of their web app sequrity. Web masters must wake up and realise. You are not only risking the sequrity of your own sites. The main thing about cross-site-scripting is that it can be used to target other sites than the domain they are found on.

Update: There has been some responses to the Swedish version of this post where I have documented the developments more in depth. In short the following has happended.

Two of the links above were indexed by Twingly which is a ping service connected to the news sites. That meant that this post were linked to from both of the news sites in connection to some articles, and received quite a lot of visitors.

I would like to thank Martin working on Twingly for pointing out that the urls were normalized before they entered there system. If these links should have been indexed at all by the blog portal is still questionable.

I also temporarily removed the links since I felt a bit guilty of publishing them without giving the site owners a warning first. I did email both of the news sites rather quickly after I wrote the blog-post. SvD replied and thanked me for letting them know. They have now secured the issues and I congratulate them for their swift action.

The issues on DN.se still remains unfixed and I have not heard anything from them. I will give them some time to fix the problems before I publish the links on my site again.

I want to keep these XXS-links on my site as a reference to other developers. The might be useful for web masters to realise what kind of threat they are up against. The other reason I would like to keep the links on my site is because I would like to study how the search engines will respond to them. Will they for example be indexed by Google? Will they still work in the cached versions? It will be interesting to find out.

Update 2: We are happy to notice that DN also has fixed their security problems. Both sites managed to shut down their XSS-flaws in only 1-2 days which is really good.

By Jesper Lind

Films about social media and citizen journalism

http://www.codeodyssey.se/upload/resource/blog/teaching-the-machine.png


Everybody that writes and sort data on the we helps th create the collaborative intelligens. This first film contains clippings from an article on Wired. We are teaching the machine...


The next clips is about citizen journalism. Cambridge Community Television does an historical review on alternative media.


The last film is called "Blogumentary" and takes us through the story about some famous bloggers in USA. Directed by Chuck Olsen.

(thanks Beta Alfa)

By Jesper Lind

List of web sites vulnerable to XSS

Some time ago there was some proof of that Google had indexed an XSS-link pointing to the web site of FBI. (screendump).

Just as expected the threats of cross-site-scripting is now growing and ha.ckers.org writes about a german site which provides a top-list of web sites vulnerable to XSS-attacks.

As I understand it the list is quite useful for "black-hat"-optimizers which can use the vulnerabilities to inject their own code in the url:s, and in this way include their own portions of links and key words. To spam the SERPS in other words. Next to each site in the list there are PR-values so that they easily can choose which target might be rewarding.

The list is mostly featuring german adresses but there is also a danish web shop included. No Swedish adresses this far. That the well known sequrity company Verisign is on top of the list is rather alarming. The XSS-vector of this site I have not been able to try out since you have to contact the owners of the site for access.

But many of the security holes do work and the developers of the site provides examples with messages about their services – they offer advice on how to solve the issues.

Since XSS-code is normal Javascript it is very hard to distinguish evil code from the ordinary. Every piece of script can be written with a great number of variation with for example the use of hexdecimal characters.

As long as the search engines continue to index these highjacked urls the problems will continue. There are not many site owners that are aware of these new type of attacks. The risk of being shut out of the search engines result is big if you got an vulnerability of this sort. A bad guy can start using them to distribute their own content that seems like it's coming from your domain.

By Jesper Lind