{"id":2367,"date":"2011-05-09T08:21:30","date_gmt":"2011-05-08T22:21:30","guid":{"rendered":"http:\/\/www.flamingspork.com\/blog\/?p=2367"},"modified":"2011-05-09T08:21:30","modified_gmt":"2011-05-08T22:21:30","slug":"friendly-exploits","status":"publish","type":"post","link":"https:\/\/www.flamingspork.com\/blog\/2011\/05\/09\/friendly-exploits\/","title":{"rendered":"Friendly exploits"},"content":{"rendered":"

If you happen to be friends with me on Facebook you will have seen a bunch of rather strange updates from me last night. This all started with a tweet (that was also sent to Facebook) by a friend who joked about doing something with the <MARQUEE> tag (see\u00c2\u00a0http:\/\/www.angelfire.com\/super\/badwebs\/<\/a> for an example of it and similar things). I saw the joke, as I was reading it through Gwibber or the Facebook website. However…. Leah saw text scrolling over the screen… just like the <MARQUEE> tag actually did.<\/p>\n

She was looking at it on her iPad using an app called Friendly.<\/p>\n

So I immediately posted a status update: “\u00ef\u00bb\u00bf\u00ef\u00bb\u00bf<script lang=”javascript”>alert(“pwned”);<\/script>”. This is a nice standard little test to see if you’ve managed to inject code into a web site. If this pops up a dialog box, you’ve made it.<\/p>\n

It didn’t work. It didn’t display anything… as if it was just not running the script tag. Disappointing. I soooo<\/strong> wanted it to break here.<\/p>\n

I did manage to do all sorts of other things in the Live Feed view though. I could use just about any other HTML tag… including forms. I couldn’t get a HTTP request to my server out of a HTML form in the Live Feed view… but once we did manage to crash Friendly (enough that it had to be force quit on the iPad).<\/p>\n

I posted a photo of me holding up the iPad to my laptop web cam to show off the basics:<\/p>\n

\"\"<\/a><\/p>\n

And then one of what happened when I tried a HTML form (this wasn’t reproducible though… so kind of disappointing):<\/p>\n

\"\"<\/a>What we did notice however was that HTML tags were parsed in comments on images too…. which made me wonder… It’s pretty easy to make a HTML form button that will do something… so I posted the same image again with a button that would say “Next” but would take you to a web page on one of my servers instead. It worked! I got a HTTP request! Neat! I could then present a HTML page that looked legit and do the standard things that one does to steal off you.<\/p>\n

But I wonder if scripts would work…. so I posted:<\/p>\n

\"\"<\/a>

Photos are proving more exploitable.... <script lang="javascript">alert("pwned");<\/script><\/p><\/div>\n

and then clicked on the image on the iPad……<\/p>\n

\"\"<\/a><\/p>\n

Gotcha!<\/p>\n

I could from here do anything I wanted.<\/p>\n

Next… I should probably report this to the developers…. or steal from my friends and make them post things to facebook implying improper relationships and general things that would get you fired.<\/p>\n

I went with the former… but the latter would have been fairly easy as the Facebook page for the app nicely tells me which of my friends use it. I could even target my attack!<\/p>\n

So I sent a warning message to friends (the 18 of them who use the Friendly app), sent a “contact the developer” message to the developers, sent out a warning on Twitter and went to bed.<\/p>\n

Got an email overnight back from the developer: “\u00ef\u00bb\u00bf\u00ef\u00bb\u00bfWe just pushed a server update that solves this issue.”<\/p>\n

Now… in my tcpdump while trying some of the earlier things I was just seeing https requests to facebook API servers from the iPad, but I don’t thing I looked too closely at images. I have no idea if they’ve actually fixed the holes and I don’t have an iPad to test it on. If you do, go try it.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you happen to be friends with me on Facebook you will have seen a bunch of rather strange updates from me last night. This all started with a tweet (that was also sent to Facebook) by a friend who … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[1],"tags":[429,428,430,427,431,426],"class_list":["post-2367","post","type-post","status-publish","format-standard","hentry","category-general","tag-exploit","tag-friendly","tag-html","tag-ipad","tag-javascript","tag-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p5a6n8-Cb","jetpack-related-posts":[{"id":397,"url":"https:\/\/www.flamingspork.com\/blog\/2005\/04\/19\/andre-pang-on-csv-to-address-book\/","url_meta":{"origin":2367,"position":0},"title":"Andre Pang on CSV to Address Book","author":"Stewart Smith","date":"2005-04-19","format":false,"excerpt":"%u039Blgorithm.com.au: CSV to Address Book Importer Surely my OSX Address book VCF to Evo VCF perl script is more free software friendly. i think tihs may even be fixed now. i seem to recall a bugzilla mail recently. so maybe it's redundant! yay! move from the proprietry world of OSX\u2026","rel":"","context":"In "life, the universe and everything"","block_context":{"text":"life, the universe and everything","link":"https:\/\/www.flamingspork.com\/blog\/category\/life-the-universe-and-everything\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3137,"url":"https:\/\/www.flamingspork.com\/blog\/2012\/07\/28\/finding-out-whats-next-at-barcampmel-2012-with-drizzle-sql-javascript-and-a-web-browser\/","url_meta":{"origin":2367,"position":1},"title":"Finding out What’s Next at BarCampMel 2012 with Drizzle, SQL, JavaScript and a web browser","author":"Stewart Smith","date":"2012-07-28","format":false,"excerpt":"Just for the pure insane fun of it, I accepted the challenge of \"what can you do with the text format of the schedule?\" for BarCampMel. I'm a database guy, so I wanted to load it into a database (which would be Drizzle), and I wanted it to be easy\u2026","rel":"","context":"In "code"","block_context":{"text":"code","link":"https:\/\/www.flamingspork.com\/blog\/category\/code\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":4850,"url":"https:\/\/www.flamingspork.com\/blog\/2023\/06\/25\/getting-your-photos-out-of-shotwell\/","url_meta":{"origin":2367,"position":2},"title":"Getting your photos out of Shotwell","author":"Stewart Smith","date":"2023-06-25","format":false,"excerpt":"Somewhat a while ago now, I wrote about how every time I return to write some software for the Mac, the preferred language has changed. The purpose of this adventure was to get my photos out of the aging Shotwell and onto my (then new) Mac and the Apple Photos\u2026","rel":"","context":"In "General"","block_context":{"text":"General","link":"https:\/\/www.flamingspork.com\/blog\/category\/general\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.flamingspork.com\/blog\/wp-content\/uploads\/2023\/06\/image.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.flamingspork.com\/blog\/wp-content\/uploads\/2023\/06\/image.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/www.flamingspork.com\/blog\/wp-content\/uploads\/2023\/06\/image.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/www.flamingspork.com\/blog\/wp-content\/uploads\/2023\/06\/image.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":412,"url":"https:\/\/www.flamingspork.com\/blog\/2005\/05\/24\/comment-spam-protection\/","url_meta":{"origin":2367,"position":3},"title":"comment spam protection","author":"Stewart Smith","date":"2005-05-24","format":false,"excerpt":"hopefully this will help stop comment spam. using HashCash makes the client do a md5 of a string for each comment submitted. okay, so now you need javascript to comment on my blog. but frankly, that's better than me fighting urges to kill, torture and maime guilty people. (spammers, not\u2026","rel":"","context":"In "General"","block_context":{"text":"General","link":"https:\/\/www.flamingspork.com\/blog\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":4397,"url":"https:\/\/www.flamingspork.com\/blog\/2018\/08\/22\/pwnm-sync-synchronizing-patchwork-and-notmuch\/","url_meta":{"origin":2367,"position":4},"title":"pwnm-sync: Synchronizing Patchwork and Notmuch","author":"Stewart Smith","date":"2018-08-22","format":false,"excerpt":"One of the core bits of infrastructure I use as a maintainer is Patchwork (I wrote about making it faster recently). Patchwork tracks patches sent to a mailing list, allowing me as a maintainer to track the state of them (New|Under Review|Changes Requested|Accepted etc), combine them into patch bundles, look\u2026","rel":"","context":"In "General"","block_context":{"text":"General","link":"https:\/\/www.flamingspork.com\/blog\/category\/general\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/www.flamingspork.com\/blog\/wp-content\/uploads\/2018\/08\/Screenshot-from-2018-08-22-17-28-25-1.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":365,"url":"https:\/\/www.flamingspork.com\/blog\/2005\/02\/17\/only-18-bugs-for-memberdb-04\/","url_meta":{"origin":2367,"position":5},"title":"Only 18 bugs for MemberDB 0.4!","author":"Stewart Smith","date":"2005-02-17","format":false,"excerpt":"Yes \"only\" 18.... although the \"make installation procedure not suck\" has to be the most important. I'm very tempted to branch and make a 0.3.1 release the \"no, it really works this time\" release. mainly because there were still a few annoying bugs (being female could cause you trouble if\u2026","rel":"","context":"In "linux-aus"","block_context":{"text":"linux-aus","link":"https:\/\/www.flamingspork.com\/blog\/category\/linux-aus\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/posts\/2367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/comments?post=2367"}],"version-history":[{"count":1,"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/posts\/2367\/revisions"}],"predecessor-version":[{"id":2372,"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/posts\/2367\/revisions\/2372"}],"wp:attachment":[{"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/media?parent=2367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/categories?post=2367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.flamingspork.com\/blog\/wp-json\/wp\/v2\/tags?post=2367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}