Thursday, December 16th, 2010
OK, it is not the end of the world yet, but a leaked screenshot of the latest Yahoo all-hands shows that delicious has no bright future in the company.
So in order to preserve the years of work I put into this web service of awesome I am backing up my data. There are a few simple ways:
You can then import and sync your bookmarks in your browser of choice or upload them to Google Docs.
As to the future? Who knows?
Sunday, September 26th, 2010
OK, in the last few minutes you will have gotten a few tweets of people explaining that they like to have intercourse through the backdoor with goats. This is a Twitter exploit – probably initiated by someone doing a security talk (I know some people who would be devious enough).
The exploit is actually easy – the main ingredients are:
- Twitter allowing updates through the API via IFRAMES and GET thus being vulnerable to CSRF attacks
- PasteHTML.com being vulnerable to render code without a secure site around it and executing it
- Clients or Twitter automatically applying the t.co link shortener
The code to execute the “worm” is hosted at
http://pastehtml.com/view/1b7xk3b.html so Twitter should contact them – (I just did):
Nothing magical there – all you do is create two SCRIPT files that point to the twitter update API and send a request to do an post. As the user who clicked on the malicious link is authenticated with twitter you can send them on his behalf. It is the same trick that worked for the “Don’t click this button” exploit or my demo at Paris Web last year how to get the updates of a protected Twitter user.
The effects of this are a mixed bag
- Bad: People stop trusting the t.co shortener after it was actually installed to be a trustworthy link shortener. The link shortening service is not compromised – this is one thing that can’t be blamed on Twitter
- Bad: There is a flood of wrong messages on Twitter
- Good: people talk about the exploit and how it was done
- Good: people get more conscious about clicking links
- Good: Twitter have to harden their API agains CSRF
- Bad: this will break some implementations
I fell for the trick, too – especially as I didn’t expect PasteHTML to render code instead of sanitizing it.
Update: As some clever clogs just pointed out in the comments, JSBin is also vulnerable to hosting code that will be executed. One thing I do to check malicious links is to use curl in the terminal:
If you don’t know JS, that doesn’t help you but if you do you can warn the world.
Wednesday, March 3rd, 2010
Yesterday, actually ten minutes before I had to leave for Kilburn to give my talk at ignite I had a shocking moment. I found in one of the sub-folders of my vast server a blog that offers cheap OEM software:
All of these links sooner or later redirect to firemicrosoft.net which is owned by someone in Russia and hosted by GoDaddy.
Don’t make folders writable to the world
What happened is that I had a very old guestbook script I had written once still running in this folder. The trick back then (and advocated by a lot of PHP tutorials as it is much easier that way) was to
chmod a folder to 777 (read/write/execute permission for all) to store flat files in it. That was good enough for me back then (around 2000) and guess what? It was good enough for the spammers to store their blog.
Static page generation – in bulk
The blog was set up quite craftily in terms of SEO: Search Engines love static pages, so instead of accessing a DB - which wasn’t compromised – they simply created static pages for all the search queries that came in. After all this is about showing links and Google juice, not about delivering content. In the end, I found that I had 23487 HTML files advertising spam. Thank god for SSH access as this would have taken some time to delete over SFTP.
I investigated last night and I am happy to say that this is all that happened. If I found a folder to store whatever I pleased into I’d have also tried to read other files, including the
wp_config.php for example.
Google Reader as a whistle blower
The interesting part about this is how I came to find out about it: Google Reader. I have a Google blog search RSS feed in my reader that notifies me every time someone links to http://wait-till-i.com – I found this much more useful than trackbacks which seem only to be used by spammers these days anyways:
In this feed I got a lot of posts from http://vancouverisawesome.com/:
I thought at first that this is because of http://winterolympicmedals.com – after all it is timely for that. When I looked at the source code of this site, however, I found that just before the closing BODY tag spammers had injected links to different sites advertising OEM software:
width:100%; height:20px; z-index:1; visibility: hidden”>
[... lots of links interspersed with random HTML …]
At first I sniggered about them linking to a folder on my site I know that doesn’t exist but when I clicked the link and found the blog my smile vanished quickly.
See the whole stuff on pastebin – as you can see, all in all eight sites were attacked the same way.
What I find curious is that the links on vancouverisawesome are hidden and seem to still be indexed by Google – I remember being almost kicked out of AdSense once for absolutely positioning ads. Also, the links might be on the top of the screen but in the document are way down the tree, and vancouverisawesome is quite packed with links already.
I’ve cleaned up my server and I have contacted the maintainers of the other seven sites (and got a lot of “thank you” for that). I also contacted vancouverisawesome about them having spam links in the bottom. This is a pretty common attack (we had it on Ajaxian.com, too) targeted at WordPress installs.
How to avoid all this (and how to detect it)
So in order to make sure that this doesn’t happen to you:
- Do not leave folders writable to the world – if a piece of software tells you that you need to do this tell them to change it – it is inviting spammers like a dog turd invites flies.
- Do monitor your incoming links – if I hadn’t had the blog search RSS feed running I probably wouldn’t have found the blog until it really showed up in my traffic stats.
- Always upgrade your WordPress install – this is automated now and takes a second – there is no excuse not to.
- Redirect or – in the most extreme case – delete old things on your server that you don’t maintain any longer.
Wednesday, February 10th, 2010
Things that made me happy this morning:
Monday, January 18th, 2010
Things that made me happy this morning: