OK, in the last few minutes you will have gotten a few tweets of people explaining that they like to have intercourse through the backdoor with goats. This is a Twitter exploit – probably initiated by someone doing a security talk (I know some people who would be devious enough).
The exploit is actually easy – the main ingredients are:
Twitter allowing updates through the API via IFRAMES and GET thus being vulnerable to CSRF attacks
PasteHTML.com being vulnerable to render code without a secure site around it and executing it
Clients or Twitter automatically applying the t.co link shortener
The code to execute the “worm” is hosted at http://pastehtml.com/view/1b7xk3b.html so Twitter should contact them – (I just did):
Nothing magical there – all you do is create two SCRIPT files that point to the twitter update API and send a request to do an post. As the user who clicked on the malicious link is authenticated with twitter you can send them on his behalf. It is the same trick that worked for the “Don’t click this button” exploit or my demo at Paris Web last year how to get the updates of a protected Twitter user.
The effects of this are a mixed bag
Bad: People stop trusting the t.co shortener after it was actually installed to be a trustworthy link shortener. The link shortening service is not compromised – this is one thing that can’t be blamed on Twitter
Bad: There is a flood of wrong messages on Twitter
Good: people talk about the exploit and how it was done
Good: people get more conscious about clicking links
Good: Twitter have to harden their API agains CSRF
Bad: this will break some implementations
I fell for the trick, too – especially as I didn’t expect PasteHTML to render code instead of sanitizing it.
Update: As some clever clogs just pointed out in the comments, JSBin is also vulnerable to hosting code that will be executed. One thing I do to check malicious links is to use curl in the terminal:
If you don’t know JS, that doesn’t help you but if you do you can warn the world.
Last week I went to Paris, France to speak at a Yahoo Developer Network event and Paris Web. Paris Web is a web development, design and accessibility conference that runs for the fourth year (I think) and I’ve been speaking there for the third time.
My presentation – basic housekeeping
Originally I planned to speak about my favourite topic – the web of data and how to use it – but the organisers had other plans for me. Normally I hate changing my topic and being asked to do specials but I have a fond spot for Paris Web so I talked about web security instead. The slides of my “basic housekeeping” talk are available on SlideShare:
In the talk I covered some very basic measures you can take to protect your web site from becoming a spam hub, part of a botnet or simply get spammed. I pointed out the following mistakes people make:
Underestimating the severity of web application security holes – it is not about your server but also about users who use the same passwords all over the place.
Keeping folders listable and thereby allowing people to find vulnerable scripts and dig into data they shouldn’t be able to see (the example I showed was eat.co.uk failing to protect their /cgi folder and thus allowing full access to an admin section and listing their DBs)
Allowing search engines to index admin sections of web applications (I proposed using robots.txt but as one attendee pointed out in the Q&A protecting with .htaccess makes a lot more sense)
Keeping error messaging on and thus allowing people to gain insight into your server setup
Having an insecure PHP setup with globals enabled which would allow for overriding security checks and remote code injection (using phpsecinfo can help you find these issues)
Blindly relying on software and not testing installs. Also, not overriding preset users and passwords (as an example try the user and password “builtin” on any Ektron-powered web site)
Not keeping installs and plugins up-to-date
Leaving information inside the HTML by commenting out in HTML - always comment on the server side.
Allowing for inclusion into iframes and thus allowing for clickjacking.
Failing to provide easy to use and stress-free interfaces and thus allowing for social engineering (“This is too hard for you, give me your password and I will fill this out for you”).
Staying authenticated and logged in over a longer period and thus allowing attackers to make you click on web sites that contain CSRF traps (the example was demo code that could get protected Twitter updates).
Giving users the impression that you are the one responsible for security instead of it being the job of both the user and the site provider.
Relying on Captchas as a sole measure against bot attacks (check PWNtcha for a captcha cracking tool).
Not keeping their software up-to-date
Not periodically checking their logs for hacking attempts.
I then quickly went over some of the ideas we now have in place to make the web easier to use and at the same time safer: Guest Passes, One-off logins, oAuth, OpenID and Caja.
I explained the security threats and trends in phishing social networks, the mobile web, camera access, geo location access and biometric recognition.
I had good feedback and I love speaking in France. You can make jokes and people are happy to laugh out loud when you bring up things that are just not expected.
The location is very luxurious (IBM’s HQ in France) and has all the latest systems you need for presenting – microphones, a great projection system, on-stage monitors, live translation and so on. The catering was very impressive and the food was – well, it is France, we don’t need to say more.
Double budget approach
The other great thing that Paris Web does that other conferences should copy is that on the day after the conference there are workshops with the speakers who are happy to give them for a very low price (last year it was 10 Euro, not sure what it was this year). This allows students that cannot afford the main conference to come only on Saturday and still take advantage of the experts coming to Paris.
All in all I am always very proud to be part of the conference and to see the enthusiasm and great things that happen in France when it comes to advocating web standards, future technologies and ways to work professionally as web designers. The strong streak of accessibility and usability that compliments the high-tech talks makes it a useful conference for anybody who creates any work on the web.
Alas, there is one issue.
The language barrier
As the conference is held predominantly in French, a lot of the great insights, information and practices is lost for non-francophones. This is a shame as I am very impressed with the pragmatic approach of the talks. There is not much “blue sky” thinking but very down-to-earth information on how to build better products, how to talk to your boss in the right way, how to make web development an important part of your company’s portfolio and a lot of talks about quality of our work and pragmatic accessibility. All the talks are filmed and recorded and it would be a great step for Paris Web to translate the transcripts – maybe that is something that can be done with crowdsourcing?