lock Today I'm going to look at how not to handle user authentication in a web application, taking BeTwittered.com authenticating with Twitter as an example (sorry, guys).

BeTwittered is a simple and comfortable gadget that you can add to your site, such as your iGoogle homepage.

Since BeTwittered is just a bridge between you and Twitter, it has to first log you into your account. Here is where things go horribly, horribly wrong.

1. BeTwittered does not use SSL to secure requests to its servers

All authentication information is transmitted to BeTwittered servers in plain text and is easily sniffable by an attacker, both on your own network and outside of it. You can read more about SSL encryption here….

Share

Updated: January 29th, 2010

image Today I found out something entirely new about framebusting and specifically clickjacking protection techniques.

I was working with a site that was using frames. Suddenly, one of the frames (which was hosted on a domain that differed from the one it was embedded in) displayed the following message (in Firefox 3.5.4):

This content cannot be displayed in a frame
 
To protect your security, the publisher of this content does
not allow it to be displayed in a frame.
 
Click here to open this content in a new window

image

Notice how this is a native Firefox window and not a web page rendering. Quite stumped, I started looking at the frame response and finally found that it included this …

Share

Updated: July 1st, 2010

image From time to time my, still curious, mind accumulates a variety of questions and concerns which it has to spill onto the pages of this blog. How random are these? Pretty damn random, and I need to see some answers, quick. Oh, and I’m deliberately not searching Google, as I want to facilitate discussion. What fun would it be if I just looked up all these?

Password Protected Garage Door Remotes

As a paranoid person and a recent homeowner, I started to wonder how safe I actually am in my house. Consider this likely scenario that nobody seems to be concerned with:

I park my car outside for one night and don’t take out my portable garage door remote, the

Share

Updated: June 9th, 2009

image Introduction

Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function (credit: Wikipedia).

Clickjacking is hard to combat. From a technical standpoint, the attack is executed using a combination of CSS and iFrames, which are both harmless web technologies, and relies mostly on tricking users by means of social engineering. Additionally, the only server side technique against clickjacking known to me is “frame breaking

Share
2

The Magic HD-DVD Key 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0


Posted by Artem Russakovskii on April 30th, 2007 in Security

Updated: May 12th, 2007

Edit: Ha! Google now returns 1.6mil results (when I first put the key up, it was only 800). Also, almost immediately after this post was indexed by google, the server started experiencing DoS attacks from various IPs in US and Germany. Your dirty tactics didn't work, bastards, the key is all over the place now.

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0.

Destroy

Share
3

Unbelievable Security Flaw in Regular Locks Makes Them Obsolete


Posted by Artem Russakovskii on August 6th, 2006 in Security

Shocking…

An unbelievable security flaw in locks, this is a very good lockpicking technique, works on at least 90% of all pin locks, very interesting, the man in the video is Barry Wels, a lock and security extrodinaire.

Share

Updated: July 15th, 2006

Edit: this has now been fixed, but I'm sure many sites are still vulnerable.

Here's the link: click here

Unbelievable! This exploit is claimed to exist on 250+ sites. Here's the quote from the guy who found it:

"Look by yourself – this is how citibank.com cares about phishing and password theft. I reported it 20 hours ago. Nothing happened. Maybe it's time to make it public? It is an active link to working exploit, ready to send YOUR data from citibank.com domain to attacker's server – so dont give your real login and pass please."

Reported on digg.com.

Share