Thoughts on Snapchat’s snafu

Background

A security company reverse engineered Snapchat’s android client and found all the api endpoints (source).
Bigger issue: The published proof of concept of using “find friends” feature to find whether a phone number is registered on Snapchat or not, and if it is, then its associated username and location of the user.
Their claim was that despite informing Snapchat about the hole, Snapchat did nothing about it.
As expected, someone published data of 4.6M registered users (source) using the proof of concept provided. Snapchat responded saying that soon users will be able to opt-out of find friends feature.

Read More

Book Review: The Tangled web

Just completed reading “The Tangled web: A guide to securing modern applications” by Michael Zalewski.

The book is surprisingly small given the amount of information it covers about interaction of web browsers, web sites and client-side web technologies.

The book starts with the discussion of what a valid URL could look like (http://yahoo.com:80@google.com/microsoft.com – think which site is being connected to here) and then discusses several fundamental building blocks of the modern web (like cookies) as well as standard technologies (like Flash) in depth. The issue of same-origin policy and how it differs from DOM to cookie to  pseudo-urls is explained with amazing clarity.
One of the best things about this book is that it makes regular references to RFCs for authoritative answers and the corresponding deviant [and undefined] behavior implemented by the browsers.
The book also covers new (HTML5) security features in detail.
While reading the book, occasionally I felt information overload but I think the “Tangled web” and not the book “Tangled web” is responsible for that.

I would strongly recommend this book for anyone who deals with web[site] security as well as parsing HTML.

Disclosure: We both work for [different teams under] Google Security.

Analysis of Facebook Rotating Images worm

If you are looking for how to avoid or recover: read this one instead.

In the past few weeks, a lot of Facebook users have received the following (or similar) messages posted by their friends
Hi Friends see Face-book images rotate 360* see here >> http://SHADYCLOUDS.TK/
Really cool Facebook revolving images. MUST SEE http://rotatingimage2.tk/.

Following are observations and analysis of the same.

Read More

Cyber Security in India : Role of CERT-In

CERT-In is a low-profile (Indian) government organization.

The Government of India established the Computer Emergency Response Team  (“CERT-IN”) to ensure Internet security. Many institutions, including the Ministry of Home Affairs, courts, the intelligence services, the police, and the National Human Rights Commission, may call on it for specialist expertise. CERT-IN’s stated mission is “to enhance the security of India’s Communications and Information Infrastructure through proactive action and effective collaboration” [Source]

I had a chance to visit CERT-In last week. The experience was overall good, unlike the typical dirty government office with laid-back employees, I saw employees enthusiastic about their work (and a colorful office).
Read More

A preliminary analysis of “Bom Sabado” orkut worm

So, today morning I received an email saying I recieved an orkut scrap from a friend with contents “Bom Sabado”.
Within a minute,  I received same scrap from another friend. Now getting the feel that this must be some sort of worm, I decided to open Orkut with firebug logging enabled to see what’s going on.
It turns out that its a typical case of Cross-Site Scripting (XSS), the attacked is able to include and execute its own script from hxxp://tptools.org/worm.js and the contents of scrap are able to by-pass orkut sanitization.
Read More