In Search of Vulnerabilities

 security  No Responses »
Jan 252012
 

Pro tip: When looking for examples of web site attacks, use private browsing mode.

In a search for examples of CSRF attacks, I found some lovely vulnerabilities in Facebook and Netflix. What makes for a good example? Well, real-life vulnerabilities in known web sites, or of known companies, preferably with known exposure or losses; examples along the lines of “if this was your bank account…” just don’t have the same impact as “so many contacts were stolen from Facebook.” Even better is when they show the code for the attack.

The problem with doing this sort of research is that “showing the code” typically means “live demo”, and a “live demo” of a security vulnerability means “here’s an actual attack”. The only difference between an attack and a demo, is that the demo gives you some warning.

And so it was, that I found an interesting CSRF attack on Netflix which places a rather embarrassing movie in your queue and moves it to the top. Luckily, it looks like Netflix has addressed this vulnerability, even though I never looked into the attack further. It was at this point that I realized that I was currently logged into Netflix on this computer, and if the attack was still possible, I would have some explaining to do to my wife.

 Posted by at 8:39 pm  Tagged with:

How Embarrassing

 security  No Responses »
Dec 292011
 

Oops. I was hacked.

And only a few months after I was put in charge of application security at work. I’m sure this would inspire confidence with all our developers.

Since I don’t actually pay attention to my blog, I had no idea that I was hacked until a month later when I went to look at some photos I uploaded. After some research I found that the attacker managed to infect all PHP files on my site. At this point I contacted my host as my account was locked down. The conversation went something like this (not actual quotes):

Me to Support
Help, I’ve been hacked!

Support to Me
Yes. Yes you have. We told you about this a month ago. Respond to the email our Security Team sent.

Me to Support
Um, looks like I lost the email, can you send it to me again?

Support to Me
Just talk to the Security Team, leave me out of this.

To be fair to the host, they most likely did contact me and I just deleted the email. My fault, I admit it. To be fair to me, I get two or three marketing emails from them a week and immediately delete the messages to prevent my inbox from filling up within a month.

I sent an email to their security folks and they gave me the details. WordPress’ TinyMCE install was attacked via a known vulnerability. They asked that I update my applications, which I did once they figured out how to do that.

In short, I failed at one of the basic tenets of security: Keep your infrastructure updated. I let my blog sit idle for too long and failed to upgrade when a new patch was released. Some script kiddie came by and hacked my site, and my host did the right thing by locking everything down until I could respond. Now I’m back up and starting from scratch.