Dangerous Firefox Extension

Posted on 29. Dezember 2005 by admin

Searchstatus, a useful firefox extension for search optimization, can easily help to exploit your web application when you don’t take security serious. Here’s why.

Some Background

Before Christmas I was working on some invites for a private beta of one of our ajax based wiki apps. And because I was very late getting things done, I wrote a python script that creates all instances and the invitation e-mails. And we all know, when you’re in hurry and there is some kind of stress it’s more likely to make mistakes. And I made a serious mistake: My script was executable for everyone, no restrictions, no authorization. You only needed the right url and were able to execute the script.

Feeling Secure

Nobody besides me knew the url of my script. That’s what I thought, but there was just another one: Alexa. The Searchstatus extension pinged alexa’s servers to receive the page rank with my “secret” url (we all know, security through obscurity does not work!). And about 12 hours later one of Alexa’s crawlers visited my server and jumped right onto my inivitation script. Nice! For some reasons I was so clever not to send the e-mails instantly. They all are sent in small junks asynchronously via a modified MaildropHost. This service was down (intentionally).

The Revelation

After the holidays, back in office, I saw some strange e-mails in the queue of MaildropHost, all sent on 24/Dec, 6:35. Here is the apache log entry from Alexa’s visit: 

crawl31-public.alexa.com - - [24/Dec/2005:06:35:01 +0100] "GET/testing/createInvitations HTTP/1.0" 200 10946 "-" "ia_archiver"

Fortunately nothing happend and the script was executed in the testing folder, where I have tested it the day before. But I had luck and I really can imagine different and more serious scenarios (left as exercise to the reader).

Conclusions

There are some conclusion from this case:

  1. Don’t ever work on the production server when testing (I did a dry-run on the production server first. And after all, final testing simply needs to take place on the production site too).
  2. Delete any redundant script from the production site.
  3. Never leave scripts open for execution, check multiple times from multiple sources.
  4. Be (very, very) cautious with toolbars, page ranking tools, firefox extensions – if you are not sure about any tool and if it’s calling mama, just use tcpdump or ethereal and check the traffic.
  5. Stop all services you don’t need regularly!

I really don’t know if Alexa always “comes back” this way, but I will be much more careful in future.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Twitter
  • Google Bookmarks
  • LinkedIn
  • PDF
  • Reddit
  • RSS
  • Slashdot
This entry was posted in Firefox, Security, Software. Bookmark the permalink.

Hinterlasse eine Antwort

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind markiert *

*

Du kannst folgende HTML-Tags benutzen: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>