May 27, 2012, Comments Off on Not busting frames considered harmful
Earlier this year I contacted Yahoo, Foursquare, Flickr, LinkedIn, etc about a flaw in their OAuth implementation. They all over looked a security consideration of the OAuth spec. (OAuth 1.0a here) This section describes how an OAuth authorize page must prevent itself from being put in a <frame> or else it leaves the page vulnerable to clickjacking.
Clickjacking on a page like this would allow a malicious attacker to force someone with a logged in session on of these vulnerability sites into giving a malicious application access to your account. See the video below for a little demonstration.
At this point, all of those notified have addressed the issue. But anyone else with an OAuth authorize page (or really any websites where your users have sessions) should make sure your pages can’t be clickjacked by being put in a frame. Useas a first pass to check if your page is vulnerable.
Thanks to Dan Kaminsky and Jeremiah Grossman for providing advice through the disclosure process.
Full list of those contacted:
* Gowalla (now part Facebook)
* Twilio Connect
sqlite3 ~/Library/Application\ Support/Google/Chrome/Default/History "delete from urls where url like '%removeme.com%';"
Use the above command to purge specific history items (in this case ‘removeme.com’) from your Google Chrome history on a Mac OS X! This saved me time at work purging old invalid URLs that Chrome kept suggesting for me…. Its just a sqlite database, so you’re free to manipulate it in a number of other ways if you’d like.
A few months ago I picked up a functioning old soda machine off craigslist. This machine was built in 1977 and has been comfortably vending soda the same way for over 30 years. Thats boring, lets make this retro machine a little more modern!
Vender has its credit functions, and dispense button electronically controlled and has two capacitive touch sensors to dispense free soda if you know the secret place to put your hands. It also has a police beacon light atop of it to signal when someone remotely dispenses a can. All of this is on a platform connected the internet, enabling operation from a website (buyusbeer.com) or my iPhone! It makes for a great living room decoration, and always serves up ice cold soda (and beer).
Since I’m moving out and traveling this summer, me and my roommates are selling Vender on eBay. A portion of the sale goes to support the Kiva foundation. Check it out.
Here’s the Phidget 8/8/8 control board at the heart of Vender. This is used to send signals to the relays, and to react to the input from the touch sensors. The control board is connected to an old P4 computer I was able to scrounge up around MIT. The computer runs all the code that lets Vender interact with the internet.
Somewhat like my door, Vender can be controlled from my iPhone. I have two buttons on my home screen, ‘Soda’ and ‘Beer’ that perform their respective functions. This is the easiest way to dispense from the machine! Though a number of times I have pushed it while I’m away only to find a warm beer sitting sitting in the machine when I come back.
Wires going in to the credit pins
Vending machines from this era all equipped with Jones plugs between the coin mechanism and the rest of the machine. The coin mechanism handles the tricky task of accepting money and giving back change, and then just tells the rest of the machine when a soda has been paid for. After trolling the soda-machines.com forums, I learned that to establish credit you just need to momentarily connect pins 1 and 7 on the plug. I snaked two wires to these pins and then connected them with a relay operated from the control board. The original coin mechanism is still plugged in.
The button relays are a bit less elegant. After finding the electrical diagram of the machine from the manufactures website (thanks Fawn Vending Systems!), I cut and stripped the wires coming out of each button’s microswitch. Then I spliced in another loop through a relay so that I can simulate a button press from the control board. The microswitches are still connected so the buttons still works otherwise.
Behind the front panel are two Phidget touch sensors based on the QT110 chip. These sensors works by detecting small variations in capacitiance caused by something like a human finger. They work through any dielectric material (in this case plastic) and don’t require actual touch, only proximity of about 1/4 inch. With the light off on Vender their presence behind the plastic isn’t noticeable.
Vender in Buy Us Beer mode
My roommates (Tom and Jonathan) put together a website and hooked Vender up the general internet at http://buyusbeer.com . Here we stream a live video of our living room and the machine. You can pay $1, see a countdown before the beer comes out, and then watch us drink it. We’re operating it on friday nights and its been surprisingly popular among our friends as well as the reddit community. We don’t really make any money off it, especially considering paypal takes 30cent from every dollar, but we’ve sold a surprising amount of beer.
Me and all my roommates are moving out in a few weeks, so we’re putting the vending machine, electronics, and buyusbeer.com website/domain on ebay. %10 of the sale is going to Kiva. If you’re curious, check out the sale at eBay.
Its pretty well established that “email AT domain DOT com” offers only marginal protection from spammers getting your email address, but sometimes, it makes it even easier. Look at this google query for “at gmail dot com” restricted to LinkedIn.com
From a search like this I can harvest thousands of reliable emails off linkedin.com, or the general internet, using only the search engine context. In fact, I did, here’s 500 gmail addresses from LinkedIn with the last few letters removed.
Search engines don’t index special characters, so an email of the form “firstname.lastname@example.org” is protected from this sort of discovery. The basic trouble is “email AT domain DOT com” is completely indexed by search engines, and its unique enough that whenever you see “at domain dot com”, you know its part of an email address.
If you really want to evade an email harvester, put up an image of your address, use some css/js obfuscation techniques, or encode your email in a simple statement like ‘my last name at gmail.com’
Personally, I already get enough spam, and gmail provides excellent enough spam filters, that I don’t mind spreading my real email address around anyway. Go ahead, send me a note at email@example.com if you wish!
I’ve gotten enough requests for the code I figured I should just release it into the wild. Use this only as an example of how to do some fancy things with phidgets, don’t use it as an example of how to actually write good code! You can checkout the nasty threads and the door protocol that requires every message starts with ‘awesomesauce’! Enjoy.
Here’s the story of iDoor, the iPhone controlled hydraulic dorm room door. Enjoy. Credits to Greg Schroll for most of the hardware.
Life at MIT can be tough. With all the problem sets, and projects taking up time, when I come back to my dorm room to crash, I don’t want to waste time opening doors myself! That’s why my room is outfitted with an iPhone controlled hydraulic door opener and unlocker. Just tap the “iDoor” app on my phone’s home screen, and the door opens for me. Its 2009 after all, about time we stopped carrying around shaped bits of metal to open up locked doors.
Chris Varenhort's iPhone has one special app...
When security isn’t my chief concern, I can even ditch the phone altogether and just give iDoor a ‘secret’ knock (not so secret any more) and let the vibration sensor trigger the door opening. See the video above for the full run through.
Update: How did this become my #2 google hit?? For you googlers I see, why don’t you go somewhereelse.
5. As your final hour approaches, you bequeath your belongings to charity and those around you.
4. You spend your last days surrounded by friends and family.
3. You’ve been in pain for so long already, that in the end, you’re happy to go.
2. There’s an elaborate ceremony with inspirational messages to mark your passage.
1. You know you’re going to a better place.