I did a presentation at work that tried to give a general introduction to cybersecurity taking in phishing and ethical hacking. I’ve re-jigged the slides a bit and uploaded them here on the off chance that somebody finds them useful for some reason.
Category: Security
Backblaze belatedly inform customers of Facebook tracking breach
I’ve just received the following email from Backblaze informing me, almost two months after they discovered it, that they’d accidentally been sending some customer file metadata to Facebook. As it happens, I was already aware of this incident from coverage on Hacker News amongst other places. Also, I don’t upload any confidential data to my Backblaze account without encrypting it (and its filename) locally first. On this occasion, the breach was relatively minor but it’s always a good idea to have this kind of defense in depth strategy when using cloud services.
We are writing to inform you of a recent event that may have involved your account. On March 8, 2021, a new Backblaze marketing campaign was incorrectly configured to potentially trigger an advertising pixel on a signed-in page “b2_browse_files2.htm.” The issue was discovered on March 21, 2021 and promptly fixed the same day. You are receiving this correspondence because, based on our investigation, we believe that you may have accessed that page during this time frame. If you accessed that page and you took the additional steps of browsing your files AND clicking on a file to preview file information, certain metadata consisting of the file name, file size, and upload timestamp may have been shared with Facebook. No customer files, nor the content of any customer files, were shared. Facebook is obligated to only process information based on our instructions and we have instructed them to not further process this data and to delete it. We therefore have no reason to believe this event had any impact on your account, but we nevertheless wanted to provide you with this update and apologize for this mistake. If you would like more information, please see the following link: Privacy Update: Third-party Tracking (backblaze.com). If you have any questions, please contact Backblaze Customer Support at [email protected]. The Backblaze Team
From Hacker News Submission to Site Compromise In One Simple Form
I was browsing around Hacker News earlier today when I came across an strange site that had made it all the way to the front page despite consisting of a single page with the three letters ‘WTF’ on it. Naturally my reaction was “WTF?”
(I’m not linking to the site in question as it’s still vulnerable at the time of writing)
It was pretty obvious that whatever was supposed to have been there had been compromised and the homepage replaced with the aforementioned TLA. I was curious to know how it happened so I started with the archive.org cache of the site. From there it was just a case of viewing source and finding the link to the Javascript file.
And there in the Javascript was the obvious culprit:
document.form_body.sorce.value = document.documentElement.outerHTML; document.form_body.action = './php/file_put_contents_index.php'; document.form_body.submit();What this is doing is taking part of the HTML document and submitting it to a form which, from the filename, we can assume writes it to the filesystem. If you’re going to do this (and you almost certainly shouldn’t) your server side script absolutely must sanitise the input. This particular site didn’t. This is a bad thing TM. It’s never safe to assume that anything POSTed to your backend is actually what you expect it to be. In this case, the site was a social bookmarking tool and the script seems to have been intended to download a preview of the bookmarked site in an iframe and then send the HTML to the backend to be incorporated into the main page HTML. (I have no idea why you would do it like this).
By constructing our own POST (using a technical, high tech hacker tool known as Firefox) we can send arbitrary data and have it overwrite the the index.html
But, wait! There’s more.
It gets worse. The form appears in the HTML like so:
<form name="form_body" method="post"> <input type="hidden" name="filename" value="../index.html">Yep, we get to choose which file to write to as well. Back in our high tech hacking tool we can change that filename value to, say:
<input type="hidden" name="filename" value="../leethack.php">and send a payload of:
sorce=%3C%3Fphp%20phpinfo%28%29%3B%20%3F%3Eand, hey presto, a new file gets written in the root directory of the site and it is executable PHP.
If I was a maliciously-minded individual, I could now upload a PHP web shell and execute arbitrary commands with the privileges of the account that’s running the PHP daemon. In the interests of not getting arrested and charged under Section 3 of the Computer Misuse Act, I didn’t dig any further.
The lessons we learn from this:
- Sanitise your inputs! Do not ever trust anything submitted from the client
- Don’t write arbitrary data to disk. Caveat: there’s a few cases where this has to be done but you absolutely must know what you’re doing.
- Posting sites to tech forums like Hacker News pretty much guarantees that somebody is going to try peaking under the hood to see how it works. If you’ve not stuck to basic security principles it won’t take long for someone to find a hole.
