Don’t Click: http://tinyurl.com/amgzs6

And, probably like many of the people out there, you clicked the link.  By the way, if you clicked the link above, good job.  You’re now one of the tens, possibly hundreds, of thousands of Twitter users that clicked that.

And then, you found out that your Twitter account got HACKED!  Even prolific blogger Dooce clicked, and subsequently decided her account had been compromised.  Her followup tweet was 

My twitter account got hacked. That last tweet was a hack, not my doing. Apologies for any inconvenience.

“Inconvenience”?  Your inability to not click an unknown link resulted in all your readers’ accounts being exposed to this.

Here’s the thing, though: your account is fine.  It wasn’t compromised.  At least, not in the way you are thinking.  I’m sure you’re thinking someone broke in, posted as you, and took off.  Now they have your username, password, measurements, shoe size, and even the length of your… hair.  I was going to say hair.  I promise.

Well, you’re wrong.  They don’t.

What happened?  Well, you clicked the link.  Alright, let’s get technical.

You’re on Twitter.  In fact, you’ve probably logged in to Twitter, so your browser has an authenticated session.  If you don’t know what that means, it’s simply that your browser has a piece of information that identifies you as you.  That info allows you access to your account, your tweets, your friends, and so on.  When you clicked the “Don’t Click” link, something happened: you opened a web page.  That’s all you saw.  The web page, redirected via TinyURL.com, was http://www.umoor.eu/blog/yes-we-can.php.

Don’t worry, both the TinyURL and the yes-we-can.php pages have since been disabled.

Take page contained two thing of note: a button, which you could see, and an iframe, which you could not see.  The button was simple enough:

button {position: absolute;top: 10px;left: 10px;z-index: 1;width: 120px;}

It just sat there, looking bored.  The iframe was more interesting:

iframe {position: absolute;width: 550px;height: 228px;top: -170px;left: -400px;z-index: 2;opacity: 0;filter: alpha(opacity=0);}

The CSS, you’ll notice, sets a size and height, but positions it off to the side and makes it transparent.  You were not supposed to even know it’s there.  Now, source of the iframe is what matters.  Remember, it’s hidden, so you see none of this.

iframe src=”http://twitter.com/home?status=Don’t Click: http://tinyurl.com/amgzs6″ scrolling=”no”

Since Twitter allows you to set you status by tacking the status on to the “home” URL, the iframe made the same request.  Backing up, you were (probably) authenticated to Twitter, so there were no problems simply updating your status.  From there, your friends saw it, clicked the link, and their own status was updated.  And it cascaded.

How bad did it cascade?  Here is the Twitter search for just that URL.

So, did you account get “hacked”?  Not exactly.  The account was not compromised or broken into, but it did perform actions on your behalf without you knowing about it.  Do you need to run and change your password?  Not this time.  How about, instead, you find out where links go before you trust them.  Then again, if you’re an Obama supporter, anything with “yes-we-can” in it will probably get you.  By the way, if you take a TinyURL and put “preview” in it, you can see where it goes without going there.  So , http://tinyurl.com/amgzs6 becomes http://preview.tinyurl.com/amgzs6.

Now, I want you to think about something: in this case, you were exploited and inadvertently posted to Twitter.  What if, instead of posting to Twitter, the iframe had tried to transfer money from your bank account?

And, most importantly, what can you do about it?  Learn where links are going before you click, and download and use CSRFblocker, which will be available soon from the Hexagon Security think-tank.

Credit: @reverz and @nathanhamiel

If you want to check out the app, here is the iTunes store link.  Because iTunes conveniently provides a link to this information, it’s easy to tell that the author, Robert de Jong, has not published any other apps.  Further, one whois and a google search later, and you can tell that the author, based in Colorado, isn’t either of the other two Robert de Jongs out there; one is in Ohio, the other in Canada.  Oh, his “company” also has a website, though it looks like a sole-proprietership, meaning there has been no paperwork filed with the government to form an LLC or corporation.  Further evidence: I couldn’t find a DEJOware business listing, according to the Colorado business registry.  On his site, the only contact link is a mailto, which will allow you to send him an email.

So, where does that leave us?  Well, let’s look at the application itself.  I mentioned earlier that it takes in user input, and gives you back your “other” names.  Let’s give this a whirl, using some fake information (why will be covered in a minute).  Starting the app up, we go immediately to the Pirate name screen.  First and last name are requested.  “Johnny Appleseed” is already demo’d on the iTunes store, so let’s do another name.  How about “Robert de Jong”?  I put it in, and get back the pirate name of “‘Salty’ Squid Flint”.  Stripper name time!  Robert de Jong, in the stripper world, would be “Fantasia Heavencocker”.  Wow.  Now Jedi name time.  Hitting this tab expands the input, and, again as seen on iTunes, more information is requested.  First, last, mother’s maiden, and birthplace are requested.  Robert’s mother’s maiden name will be, for this demo, “Wozniak” (sorry Steve), and his birthplace will be Boulder.  I get back the very Jedi name of “Dej-Ro Wozbou”.

Dej-Ro Wozbou is parts of each element of data.  Three from last name, two from first name, three from mother’s maiden, and three form birthplace.  de Jong Robert Wozniak Boulder.  See?

So, why would I use false information here?  Here’s what just happened: a previously unknown developer has created an application and published it with Apple’s blessing.  The application asks for your information, and does… we know not what with it.  The app could send your information, literally, anywhere.  Further, the information is all user-supplied, so there’s nothing that would make Apple unhappy (like rifling through your address book for your information).  No, we, the users, provide all the information it asks for.  And that’s the problem.  We just provided First Name, Last Name, Mother’s Maiden Name, and Birthplace to this application and, potentially, to this developer.  If those four pieces of information sound familiar, it’s because those are usually what stand between you and retrieving an account password almost anywhere.  “But he doesn’t know my username!” you cry.  Actually, most people will use FirstnameLastname as their account username, if it’s an important account.  Like banking.  Think about that.

Now, my disclaimer and CYA: I don’t know any of this for sure.  I haven’t monitored the network traffic to see if A.K.A is calling home.  I’m not even accusing A.K.A. or Robert de Jong of doing anything malicious.  The A.K.A. app happens to fit a model that could be used to steal information.  It is also “trusted” because Apple has blessed it.  Before you willingly hand any information over to an application, trusted or not, consider what could be done with that information.

There is a nationwide scam being run to steal money form Walmart.  This may not seem like much of a revelation, until I describe the method being used.  Undoubtedly, this is also being perpetrated at other stores, but Walmart is a face you know.

Have you watched Garden State, starring Natalie Portman and Zach Braff?  This is not a random divergence.  In fact, that movie has a similar scheme employed in it.  In this movie, the main character’s friend needs to get some money.  He takes the whole crew with him, before beginning their outing, to the local home and garden store.  There, he grabs a set of knives from the shelves, and takes them to the return counter.  After a brief and indignant argument about how the knives “aren’t sharp enough”, the knives are “returned”, and he walks out with cash in hand.  He explains, “you don’t need a receipt to return anything under $25.”  In the real world, the viability of this is suspect; most places would, at best, offer a store credit.  But what about that weak link in the chain, the receipt?

Why is the receipt the weak link?  Two reasons: we perceive them as having a low value (generally), and almost no “low ticket” items are individually identifiable.  That is, unless we need to return something or use it for reimbursement or tax write-off, the receipt has virtually no value, and inexpensive items generally don’t have serial numbers.  Recently, a friend of mine purchased a wireless Wii sensor bar, which broke within a month.  The fault was in the cheap plastic used, but she wanted that same type of sensor bar.  Instead of paying another $21, she purchased a new one, put the old one in the new packaging, and returned it.  She got a new sensor bar, and it was completely undetectable.

The challenge now becomes one of determining how to exploit this.  The Walmart scam takes advantage of the receipt as the weak link, and exploits this perfectly.  It is also very simple, making it surprisingly easy to pull off.  Further, the victim is a major corporation, making it very unlikely that action will be taken, compared to an individual.

The scam runs as follows: the attacker waits for a receipt to be thrown away in the trash outside the door, or dropped in the parking lot.  The receipt is collected.  If the purchase was paid with cash or debit, it can be used; a credit card receipt will only do a refund back to the credit card, not to cash.  Once a viable receipt is collected, all that has to be done is wait.  The waiting is for someone with a return to come in.  When you enter Walmart, you’re item is tagged with a sticker, showing it came “in” from the outside.  Even if a return is processed, the sticker might be left on the item.  If the attacker can then grab either the sticker (to apply to another item), or the entire item, they’ve got everything they need to get cash in hand: receipt, item, “official” sticker.

This attack could, of course, be done a number of different ways: the item could be shoplifted then brought back in, gaining it the “official sticker”, or stickers could be printed elsewhere and affixed at the attacker’s leisure.  The sky’s the limit; the result is the same: cash.

Brian White over on Bloggingstocks.com has written up his own assessment of the Wal-mart return policy.  His research, along with my information, could lead to some very interesting return fraud.

Update: While discussing this security issue with various people, both a coworker and a relative gave me the same new information that I would not have discovered on my own, because they have kids. Apparently, the greeters are more than happy to give stickers to kids.  While they usually don’t barcode the kids, if the Walmart is one of the ones that uses a florescent dot instead of a barcode, the greeters will usually hand those out to small children.  So, walk through a couple times with a couple kids, take their stickers, find a receipt, stick the sticker on the item in the store, take it up front and return it.  Easy as that.  But it’s so mean… taking stickers from kids.

So, I went to get one.

Walmart was the destination of choice.  The barbecue I found and wanted was the Char-Broil 2-burner.  Walmart had exactly one.  It was the floor display model, but I still wanted it.

So, I grabbed the barbecue, and wheeled it over to the checkout counter near the gardening section.  I was politely informed that the barbecue, being the floor model, would need to be approved for sale by the manager.  The checker called to ask, and another associate (image simulated) to check out the grill.  The grill, I was informed, was in perfect working order.  I was also informed, at about the same time, that the manager would not approve the grill to be sold.  The associates put the grill back on the display floor.

Then I took it.

No, I didn’t steal it.  I just waited for them to be busy with other customers, walked up to it, and wheeled it away.  This time, I headed in the direction of the front of the store, and the main checkout area.  Specifically, I angled toward self-checkout.

The grill had a big sticker on it, complete with barcode.  I peeled it off as I went, got to the self-check, scanned the code, and swiped my card.  It was mine.

Pause.

“Hold for Assistance”, the screen read.  The associate monitoring the self-check started walking my way… and all she wanted was to verify my ID against the name on my card, because the grill was a large line-item on the receipt.

And the grill was mine.

Walmart, your rules do not apply to those people willing to use your own systems against you.  I’m not talking about laws.  Just your rules.  Enjoy.

Usually, processing form data means getting either POST or GET data from a form, and trying to figure out, in code, what you have, and then do something with it.  This can be easy or complicated, depending on how much is being passed in.  Email address only? Easy.  Checkboxes, optional fields, and so on, all together?  Pain.  Often, a lot of form processing is done with stacks of “if” statements.  This sucks.  Here is a better way:

From now on, I want you to name all of your “real” form elements (ones that have data that could change, so not buttons) using the name you would have given then, plus an array name, that they will all share.

So,

<input type="text" name="username" id="username" />

becomes

<input type="text" name="formdata[username]" id="username" />

Why?  Instead of having one array ($_POST), you’ll now have two ($_POST and ‘formdata’, within $_POST).  Your buttons and other “static” form elements will still live in $_POST, but everything containing data that needs handling will be in the ‘formdata’ array, which you can access as $_POST[formdata].

Why does this rock?  I find I have to go through all of the data in a form, even if I know what and how much is coming in, and that the amount wont change.  For example, it’s a good idea to clean all user input.  Since users can change any form value, this needs handled.  Why bother with a ton of ‘if’ statements when we can just iterate through the ‘formdata’ array?

  foreach ($_POST['formdata'] as $key => $value)
    $_POST['formdata'][$key] = makesafe($value);

Cautionary note: this definitely seems ideal for updating data in a database and saving time, doesn’t it?  Maybe something like (let’s assume “$user_id” is the current user’s account, and we determined that earlier somehow) :

  foreach ($_POST['formdata'] as $key => $value)
    mysql_query("UPDATE info_table SET $key = '$value' WHERE index = $user_id");

This is a bad thing.  Why?  SQL injection.  At the very least, clean all input, including the field names, if you think something like the above statement is a good idea.  If you don’t, don’t say I didn’t warn you if you get owned.

We used and modified phpBB.  My portion of the project was to re-skin the bulletin board system, act as lead moderator, prevent non-UAT students from registering, and implement the post voting system.  phpBB version 3, RC5 was used and updated to subsequent release candidates.

Two php files were added to the core of phpBB3, one core file was modified, and additional tables were created in the database.  Currently this project only works with phpBB3 on a MySQL database, but I hope to make it database-independent.  Below is a snippet of code from the new files.

<?php
	$sql = 'INSERT INTO ' . VOTES_TABLE . ' ' . $db->sql_build_array('INSERT', array(
		'post_id'		=> (int) $post_id,
		'user_id'		=> $user->data['user_id'],
		'adjust'		=> 1,
		'vote_time'		=> time(),
		'voter_ip'		=> $user->ip)
	);
?>

A working example of these modifications in a live phpBB3 environment can be seen at The Rogue Forums.  Please contact me for a login, as account creation is limited to UAT students only.  The new files associated with this project are linked below.

pbpBB voting system files

Background: This projects began as a request from a friend.  His site, acting as a working demo, is at Fried Pope.  He wanted the ability to have different stylesheets govern the look of his site, and be chosen randomly for each visitor.  In short, he wanted to rotate his style sheets.

Project: The result from that request, plus a major recode, is linked below.  The system is designed to pick a stylesheet from the directory you specify, and redirect the user to it.  It will remember the stylesheet selected for the user for their entire visit, so your site doesn’t keep changing its look.  That would be confusing.

Compatibility: This project works in all known browsers.

Use: Using this tool is extremely simple.  You must have a web host that supports PHP.

1. Uncompress the source code, and put ‘cssrotate2.php’ in your website’s directory
2. Open ‘cssrotate2.php’ with an HTML editor
3. If you need to, change the the line under the comments to specify where your styles are ($stylesdir = “./styles”;)
4. Save and close it
5. Open any pages in your site that you want to have use CSS Rotate
6. Add a link to it like you would any other stylesheet (<link href=”./styles/cssrotate2.php” rel=”stylesheet” type=”text/css” />)
7. Save and close those pages

download css rotate 2

For those not familiar with it, but familiar with PHP, this function takes the results returned by mysql_query(), and turns it into an array of values.  There are two other functions that do similar things: mysql_fetch_row() and mysql_fetch_assoc().

mysql_fetch_row() ”fetches one row of data from the result associated with the specified result identifier.  The row is returned as an array.  Each result column is stored in an array offset, starting at offset 0″. source

So, first value is $result[0], second is $result[1], and so on.

mysql_fetch_assoc() “returns an asociative array of strings that corresponds to the fetched row”. source  That is, each value that is returned is part of a pair: a “key” (index) value, and the actual value.  The “key” names correspond to the name of the field in the database.

So, first value is $result['name'], second is $result['email'], and so on.

When I’m coding, I like to have access to both the “key” values, and the numeric index.  Now, in all honesty, I almost always use “key” values, over numeric, but I still like having the option.  This is where mysql_fetch_array() comes in.

mysql_fetch_array() will give you “an array with both associative and number indices.” source

Many other languages can do both associative (“key” index) and numeric indices by default.  Others are constrained to just numeric.  Here, PHP is giving us both.  

The question: how?

The answer: it cheats!

Seriously.  It cheats.  What do I mean?  I mean that the numeric indices are not truly referencing the position of the value.  One would expect that “$result[0]” would reference the value in the first position.  It does not.  This can easily be verified with a handy print_r(), or the following loop:

$result = mysql_fetch_array($result);
foreach ($result as $key => $value)
echo $key . ‘=’ . $value . ‘<br />’;

The result of that loop, on a data set I was working with, returned the following:

0=mack
username=mack
1=1
job_num=1
2=Mack Staples
name=Mack Staples
3=5415551234
phone_num= 5415551234
4=test@example.com
email=test@example.com

What do you notice?  Every value is in there twice, and while the ’0′ value is indeed in the first position, the rest of the numbers don’t correlate.  So what is it doing?

mysql_fetch_array() is building a larger array (twice the size of either of the other functions) and using the numbers not as true indexes, but as associative “key” values.  This means a couple of things.

1 – You are wasting speed if you reference the values, but don’t use quotes.  According to Reinhold Weber’s Blog:  #17: “$row[’id’] is 7 times faster than $row[id]“.  If you’re doing this a lot, and often… ouch.

2 – You’re wasting speed just using it.  From having to initially populate twice the data into an array, to a slowdown copying the array to other memory locations, this can cost you performance.

So, what can we do about it?

1 – Use quotes!  1/7th of the time to get $result['2'] compared to $result[2].  Simple speed fix.

2 – Using mysql_fetch_array() is up to you.  For what I usually use database results for, the difference is negligible.  I do small, infrequent queries, and I like having both numeric and associated indices.  To me, it’s worth the minor performance hit.

Code Safe. Code Smart.  Be paranoid.