How *Not* To Implement A Web Application That Handles External Authentication, Using BeTwittered.com As An Example
Today I'm going to look at how not to handle user authentication in a web application, taking BeTwittered.com authenticating with Twitter as an example (sorry, guys).
BeTwittered is a simple and comfortable gadget that you can add to your site, such as your iGoogle homepage.
Since BeTwittered is just a bridge between you and Twitter, it has to first log you into your account. Here…
Updated: January 29th, 2010
Today I found out something entirely new about framebusting and specifically clickjacking protection techniques.
I was working with a site that was using frames. Suddenly, one of the frames (which was hosted on a domain that differed from the one it was embedded in) displayed the following message (in Firefox 3.5.4):
This content cannot be displayed in a frame To protect
…
Random Questions and Thoughts. Password Protected Garage Door Remotes, Twitter Security, MUNI Drivers, Burgers, etc
Updated: March 3rd, 2010
From time to time my, still curious, mind accumulates a variety of questions and concerns which it has to spill onto the pages of this blog. How random are these? Pretty damn random, and I need to see some answers, quick. Oh, and I’m deliberately not searching Google, as I want to facilitate discussion. What fun would it be if I just looked up all these?
Password Protected Garage
…
Updated: June 9th, 2009
Introduction
Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function (credit: Wikipedia).
Clickjacking is…
The Magic HD-DVD Key 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Updated: May 12th, 2007
Edit: Ha! Google now returns 1.6mil results (when I first put the key up, it was only 800). Also, almost immediately after this post was indexed by google, the server started experiencing DoS attacks from various IPs in US and Germany. Your dirty tactics didn't work, bastards, the key is all over the place now.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88…
Unbelievable Security Flaw in Regular Locks Makes Them Obsolete
Unbelievable! Working and Active Exploit on citibank.com and Many Other Sites
Updated: July 15th, 2006
Edit: this has now been fixed, but I'm sure many sites are still vulnerable.
Here's the link: click here
Unbelievable! This exploit is claimed to exist on 250+ sites. Here's the quote from the guy who found it:
"Look by yourself – this is how citibank.com cares about phishing and password theft. I reported it 20 hours ago. Nothing happened. Maybe it's time to make it…


beer planet is a blog about technology, programming, computers, and geek life. It is run by Artem Russakovskii - a local San Francisco geek who currently works at