
Frozen?
uhh, won't your browser be frozen for 2 minutes then ? I'm not gonna let a webpage load for that long (the examples i've seen of the history sniffing freezes my firefox, at least).
In a disclosure that has implications for the security of e-commerce and Web 2.0 sites everywhere, a researcher has perfected a technique for stealing unique identifiers used to prevent unauthorized access to email accounts and other private resources. Websites typically append a random sequence of characters to URLs after a …
Use Firefox. Set options to delete everything when a session is closed. When going to a site where money or personal accounts are going to be accessed, bring up a browser from scratch and visit no more than 1 site per browsing session. Paranoid? You betcha. There people far smarter than I out there.
Beer, for the money you don't hand over to hackers, crackers, whatever they are calling themselves these days.
a 20-character code and it'll take vast amounts of time until someone invents a useable quantum computer? Doesn't sound too bad.
Is there any way of seeding your history so the CSS History Hacking throws up some sort of token that can be used to track down whoever's trying to get your details? Sort of a reverse-Spam (i.e. you're sticking unwanted, unneeded crap on your computer); they'd read off that I'd been to a secure page on, say, egg.com (which isn't my bank in real life or the example) and the bank's website had used token ABC123.
Villian then goes off and tries to connect to egg.com with token ABC123, it's flagged up by a program on egg's computers and details of the computer used to try to connect are recorded or sent off to the police or whatever.
Bish bash bosh, job's a good 'un, villian is known or can be tracked down.
All forms will henceforth be sent using POST, over SSL, and javascript will be checked for and if found the operator of the browser will be told how important it is to turn it off.
Really, it's getting stupid, you can't run a browser for five minutes without the latest web 2.0 threat poised to squish you.
Cheers,
Sabahattin
PS: hang on, how about a web tag that says, "Stop following me everywhere for my domains/subdomains"?
I have to admit that I haven't thought very much about this and I'm tired and hungry but two points spring to mind...
1) Nobody with any sense would pass the session token for a security critical application in the query string these days. You'd use a cookie instead, precisely so it doesn't appear in the user's history, etc. This is especially true because we're in an age where nobody thinks twice about sharing URLs with their mates, Twitter, their blog, etc and you can bet your bottom dollar that the vast majority don't take care to remove session tokens from URLs before doing so even though sessions can remain valid for weeks or months.
Put the session token in the URL and you deserve to end up with it all over the web. The proportion of people who have cookies blocked these days is so close to nil as makes no odds. There's no point coding to a 'no cookies' requirement in the same way there's no point coding to a 'IE3 compatability' requirement.
2) Anyone who doesn't hash the supplied session key with (for example) the user agent string and IP address of the expected client and use *that* key for login verification is an idiot. There are of course other things you could do to be more sure that you're communicating with who you think you are but at the very least, applications should be comparing the client IP address with the one that was used during login. Again, so few people use rapidly changing dynamic IP addresses these days as makes no odds.
Most tokens are about 20 ascii / base 64 characters, for crying out loud. Showing that you can brute-force five base16 characters does not really prove a weakness. That took two minutes, and how big was the CSS file with those over-three-hundred-thousand entries? Trying to enumerate any halfway-decent long UID is one of those not-enough-atoms-in-the-universe problems, it aint gonna happen, and this toy demonstration doesn't prove anything. It's like saying that you can easily brute-force a 1-char password - well duh, don't use one char passwords! I'd like anyone to name a real website that uses a five-char identifier.
@Anders - no your browser won't be frozen, that is why i put setTimeouts in PoC. you can put some nice content in a post, or run a pirated movie site, etc. anyway, 2min is for searching entire key space, and attacker might discover your token early
@Anonymous - nice suggestion and too secure....
@Adam, nice idea, but really this attack will run on your vulnerable client, who just accidently visits a evil site. So, it will be poor guy going to jail. if we think more, we can work it out :)
@Sebby. LoL..
Cheers,
Inferno
@Anonymous Coward - you should understand security before making any accusation. This token is not sessionid, but your csrf protection token. your sessionid will be automatically sent by browser in every request if you are authenticated. Regarding your CSS file argument, please first go and check out the proof of concept code. you won't see any hardcoded token there.
If you need real world examples, check out the last comment on the post on my site.
I was recently looking through the logs of my website to find out who was hotlinking images, then remove ot swap out those images to mess with the hotlinkers (hey, geeks get bored you know!), when I noticed some of the referrer URLs contained an encrypted password with plaintext username.
So I copy'n'pasted one of referrer URLs into my browser and discovered I has signed into a chatroom as someone else completely.
The funniest thing about this was that the chatroom is on a conspiracy theory website. :D
Bizarrely, the most insecure browser (IE) is the one I use for all 'secure' transactions - mainly 'cos you have to - thanks to sloppy website design.
Which means I've ensured that IE remembers nothing; blitzs all cookies, temp files, history, the lot, every time on shut-down. When I'm going to do anything on any website that involves a meaningful password / transaction, its fire up IE time - fresh as it is, use it for that task only, then shut down and wipe.
For usual browsing - use something else, operah in my case (mainly for the mouse-gestures, though there's probably a copycat Firefox download for that yada yada...)
Nah, most users'll just think that the site's trying to load a bit of Flash.
Note to e-tailers. Getting a blank screen with the word "loading" and a progress bar in the middle does not leave me breathlessly awaiting the mind-numbingly fantastic multimeeja UI experience I am about to receive*. It does make me piss off sharpish to spend my money elsewhere. You know who you are.....
*However much your CV-polishing web monkey may tell you it does.
Dear God! How long has the security community known that short encryption keys can be easily brute-forced? A 64-bit key (8 base16 characters) has been insecure for well over a decade now.
Why are people still using weak keys in secure settings?
It's not f**king rocket science.
In fact, there's a whole field entitled "Security Protocols" which specifically caters towards secure communication over insecure networks and is designed to prevent things like replay attacks.
Of course, the real problem is that your "typical user" has no way of knowing their favourite site uses such pathetic security (and almost certainly doesn't care to check).
And then there's the issue that most webmail sites don't encrypt the traffic once you've logged in, so anyone on your network can easily read the e-mails you view and send.
</rant>
@David
Same Problems, Different Place: Keep in mind that VMs may contain their own exploitable vulnerability. Don't be lulled into complacency; it's only a matter of time before exploiting VMs becomes a practical concern.
@Doc
Same problems, different place: Most businesses, unfortunately, operate with a good-enough mentality. Realistically, we have to come to some reasonable compromise between security, performance and ease-of-use. However, too often good-enough errs on the side of saving time/effort/money. Probably because it's easy to put a cost on the effort to implement and maintain software, but it's rather difficult to put a price on potential security issues.
"1) Nobody with any sense would pass the session token for a security critical application in the query string these days. You'd use a cookie instead, precisely so it doesn't appear in the user's history, etc."
Even worse. Then there is no token for the evil hacker to guess! They simply link you to the raw url!
American lawmakers held a hearing on Tuesday to discuss a proposed federal information privacy bill that many want yet few believe will be approved in its current form.
The hearing, dubbed "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security," was overseen by the House Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce.
Therein, legislators and various concerned parties opined on the American Data Privacy and Protection Act (ADPPA) [PDF], proposed by Senator Roger Wicker (R-MS) and Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA).
Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.
A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.
That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.
In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.
Period- and fertility-tracking apps have become weapons in Friday's post-Roe America.
These seemingly innocuous trackers contain tons of data about sexual history, menstruation and pregnancy dates, all of which could now be used to prosecute women seeking abortions — or incite digital witch hunts in states that offer abortion bounties.
Under a law passed last year in Texas, any citizen who successfully sues an abortion provider, a health center worker, or anyone who helps someone access an abortion after six weeks can claim at least $10,000, and other US states are following that example.
Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.
Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.
"For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."
California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.
Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.
"First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."
Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.
US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions.
In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.
Brave Software, maker of a privacy-oriented browser, on Wednesday said its surging search service has exited beta testing while its Goggles search personalization system has entered beta testing.
Brave Search, which debuted a year ago, has received 2.5 billion search queries since then, apparently, and based on current monthly totals is expected to handle twice as many over the next year. The search service is available in the Brave browser and in other browsers by visiting search.brave.com.
"Since launching one year ago, Brave Search has prioritized independence and innovation in order to give users the privacy they deserve," wrote Josep Pujol, chief of search at Brave. "The web is changing, and our incredible growth shows that there is demand for a new player that puts users first."
Apple's Intelligent Tracking Protection (ITP) in Safari has implemented privacy through forgetfulness, and the result is that users of Twitter may have to remind Safari of their preferences.
Apple's privacy technology has been designed to block third-party cookies in its Safari browser. But according to software developer Jeff Johnson, it keeps such a tight lid on browser-based storage that if the user hasn't visited Twitter for a week, ITP will delete user set preferences.
So instead of seeing "Latest Tweets" – a chronological timeline – Safari users returning to Twitter after seven days can expect to see Twitter's algorithmically curated tweets under its "Home" setting.
In brief A Japanese contractor working in the city of Amagasaki, near Osaka, reportedly mislaid a USB drive containing personal data on the metropolis's 460,000 residents.
Biting the hand that feeds IT © 1998–2022