Bryan.StittHappens
My google analytics attack

I’ve been working on building client-side javascript apps (http://brunch.io) and am really wanting to make sure that they are secure as possible.  There are people that openly laugh when javascript and security are brought up in the same sentence, but I think they are a bit misguided.  Many of the vulnerabilities that have been pointed out to me exist on any website where javascript is enabled, not just on client-side javascript apps.

I was researching javascript injection (which many people consider “game over”) and had an idea.  LOTS of sites use google-analytics.  The default code snippit for google analytics loads HTTP if the page is HTTP and HTTPS if the page is HTTPS.  This is pretty common behavior for most file requests.  So what if I had control of a DNS server? If I modified my public DNS or poised someone’s DNS or editing a target’s hosts file, could I serve them whatever javascript I want?  Turns out, YES!

I downloaded http://google-analytics.com/ga.js and https://github.com/scottschiller/snowstorm/ and combined them into one minified file.  This way, the analytics still work, but it also snows.  I dropped this file into a new folder on my webserver— google-pwnalytics.com.  I then setup nginx to serve both google-analytics.com and www.google-analytics.com (but NOT ssl.google-analytics.com so not all of the HTTPS queries throw errors).  Then I configured my personal DNS server to point google-analytics.com to my webserver.  I cleared my browser cache and went to one of my own sites that has analytics.  It snowed.  Then I went to a few sites that I don’t run.  It was snowing on lifehacker.

The number of sites that this attack affects is scary.  This attack doesn’t get every site, but it got enough that I am concerned.  Most attacks are targeted at one site.  This one gets every site that uses HTTP analytics.

Obviously, having it snow isn’t going to do anything bad, but what if the script grabbed cookies? Injected cookies? Searched for forms with a “password” field and redirected input to me?  Javascript injection is bad news.

There are a few things that can easily stop this attack like DNSSEC and HTTPS.  Maybe we could start doing javascript checksums lol.  Most people don’t do anything though.  It also doesn’t help that the recommended code snippit from google is affected.  If you are building an app that needs to be secure, make sure you only serve 100% trusted code only via SSL.

tl;dr… As a web developer, don’t trust CDNs for high security sites; serve all your own code over SSL.  As a user, be wary of Public DNSs.  Use HTTPS everywhere that it is available.

Internet Story

TED talks sometimes scare me.

Who knew legos could be so violent

Using Google+ for OpenID

I made this blog so I would have a place to use as my openid url. I connected it to my gmail account (well really my google+ account) with some simple head tags.

    <link href=”https://www.google.com/accounts/o8/ud?source=profiles” rel=”openid2.provider” />

    <link href=”https://plus.google.com/MYACCOUNTNUMBER/posts” rel=”openid2.local_id” />  

    <link href=”https://www.google.com/accounts/o8/ud?source=profiles” rel=”openid.server” />

    <link href=”https://plus.google.com/MYACCOUNTNUMBER/posts” rel=”openid.delegate” />

Weeeeeeeeeeee