![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
ObNonHack
This is a story about an exploit that didn't happen. Mostly, because I chickened out.
The short version is this: for a while, there was a bug in the way google accepted user preferences that meant that it was possible to create an <img ...> tag such that anyone who looked at a page containing the image would have their google preferences changed. Think about this for a second. See that blank box above the smiley face? If Google were still vulnerable to this exploit, you'd see a second little smiley face in that box. Also, merely by loading your friends page with this entry on it, your google preferences would have been changed to whatever I picked. In this case, to have the google buttons and all explanatory text switch to Arabic, to search only for pages in Chinese or Japanese, and to display only one result per page. You'd see this when next you used Google, whether you used it directly by visitng http://www.google.com or through some browser plugin.
Now, freerepublic.com (no, I'm not linking to them) is frequently visited by people who would at the least be freaked out by something like this. Furthermore, it's full of people I wouldn't mind freaking out. Also, it encourages semi-anonymous users to post images in the comments. At least as of Halloween, Google hadn't fixed this exploit. Think about it: right before the election some of the more rabid online right-wing activists have their ability to use Google taken away from them in what looks like an islamofascist plot...
Anyway, as I said, I chickened out. I don't know if there's some sort of moral or lesson here - except that web application security is so difficult that even Google can get it wrong in potentially embarrassing ways - but it kind of seems like there ought to be. If anyone cares about the technical details behind the flaw you can read about it by googling "google setprefs xsrf" and see more details about my specific way to exploit it by looking at what http://xrl.us/rv5j/smile.gif gets you when you feed it through wget.
(And yes, I'd reported this to Google on September 25th, but I wasn't the original discoverer of the flaw itself. Encoding the evil into an image tag was my own creation, as was the exploration of how much evil could be encoded into one little picture.)
The short version is this: for a while, there was a bug in the way google accepted user preferences that meant that it was possible to create an <img ...> tag such that anyone who looked at a page containing the image would have their google preferences changed. Think about this for a second. See that blank box above the smiley face? If Google were still vulnerable to this exploit, you'd see a second little smiley face in that box. Also, merely by loading your friends page with this entry on it, your google preferences would have been changed to whatever I picked. In this case, to have the google buttons and all explanatory text switch to Arabic, to search only for pages in Chinese or Japanese, and to display only one result per page. You'd see this when next you used Google, whether you used it directly by visitng http://www.google.com or through some browser plugin.Now, freerepublic.com (no, I'm not linking to them) is frequently visited by people who would at the least be freaked out by something like this. Furthermore, it's full of people I wouldn't mind freaking out. Also, it encourages semi-anonymous users to post images in the comments. At least as of Halloween, Google hadn't fixed this exploit. Think about it: right before the election some of the more rabid online right-wing activists have their ability to use Google taken away from them in what looks like an islamofascist plot...
Anyway, as I said, I chickened out. I don't know if there's some sort of moral or lesson here - except that web application security is so difficult that even Google can get it wrong in potentially embarrassing ways - but it kind of seems like there ought to be. If anyone cares about the technical details behind the flaw you can read about it by googling "google setprefs xsrf" and see more details about my specific way to exploit it by looking at what http://xrl.us/rv5j/smile.gif gets you when you feed it through wget.
(And yes, I'd reported this to Google on September 25th, but I wasn't the original discoverer of the flaw itself. Encoding the evil into an image tag was my own creation, as was the exploration of how much evil could be encoded into one little picture.)
no subject