lolcatting all the way to the bank
August 1, 2008 1:11 PM   Subscribe

GIFAR?
posted by uncleozzy at 1:15 PM on August 1, 2008 [1 favorite has favorites]

...and that is why I use Firefox and NoScript.
posted by Shepherd at 1:17 PM on August 1, 2008

Not entirely sure why this has broken again today it first came out a month ago.
posted by public at 1:19 PM on August 1, 2008

For stupid people, can someone please explain why this hack would only work on Facebook-type sites? Why wouldn't such an image be able to be displayed on any site?
posted by roll truck roll at 1:20 PM on August 1, 2008

"There is one catch, however. The victim would have to be logged into the Web site that is hosting the image for the attack to work. 'The attack is going to work best wherever you leave yourself logged in for long periods of time,' Heasman said."

Bastards! They've obviously developed this attack with Metafilter in mind!
posted by mr_crash_davis at 1:21 PM on August 1, 2008

He and his fellow Black Hat presenters have entitled their talk The Internet is Broken.


So fix it. Oh wait, you can't.

So it's not so much broken, as it's flawed. To a certain degree, like having a window in your house is a "flaw." Sure, it makes it look pretty, adds some functionality in resale, but "they" can use it to get in. Soooo.... you make a stronger window, "they" get a better crowbar, add a security system, "they" find the callbox, and on and on.
posted by Debaser626 at 1:21 PM on August 1, 2008

goatse hijacked my bank account, murdered my parents and drove my husband and children to leave me. All for the *snif* lulz.
posted by Ambrosia Voyeur at 1:23 PM on August 1, 2008 [4 favorites has favorites]

For stupid people, can someone please explain why this hack would only work on Facebook-type sites? Why wouldn't such an image be able to be displayed on any site? I think they said the the image would have to be user-uploaded, so the site would have to allow for image uploads.
posted by Debaser626 at 1:24 PM on August 1, 2008

I'm not following that link..
posted by xorry at 1:28 PM on August 1, 2008

> can someone please explain why this hack would only work on Facebook-type sites?

It probably works on any website the attacker can upload an image to. A profile on Facebook is more likely to be visited by random people than a page on a brand-new website somewhere. The author of the writeup is partly trying to grab attention by namedropping, and partially illuminating a real consequence of how people currently use the web.
posted by ardgedee at 1:29 PM on August 1, 2008

The fix for this is (probably) to have your Java runtime actually look at the MIME type being sent by the webserver, and refuse to actually execute code that wasn't application/x-java-archive. The alternative (making every webserver verify the magic number of the file versus the extension and mime type) is probably too big of a problem to fix.
posted by mark242 at 1:30 PM on August 1, 2008

I like that the security blog memed it as "lolcat stole your [bank account, etc]" yet here we've memed it as goatse. Someone could write a paper on that.

Neat idea -- shoving java into a GIF onto an unsuspecting web page that is already processing java. Pisser that those social websites need so much java to do their fancypants things.
posted by cavalier at 1:30 PM on August 1, 2008

Gross!
posted by Mister_A at 1:31 PM on August 1, 2008

that's not the only thing goatse is jacking

[UNF UNF UNF UNF]
posted by boo_radley at 1:35 PM on August 1, 2008 [1 favorite has favorites]

Seconding the NoScript extension. I'm not as confident as Shepherd that it solves the problem entirely, but why not use it.
posted by mrgrimm at 1:35 PM on August 1, 2008

shoving java into a GIF onto an unsuspecting web page that is already processing java. Pisser that those social websites need so much java to do their fancypants things.

I think you might be confusing Java and JavaScript. The hook here is that you're just using the social whatnot site to host the image/JAR and draw people into the trap, not that it has anything to do with executing the malicious code.
posted by uncleozzy at 1:35 PM on August 1, 2008

Nonsense. I've been surfing 4chan all morning on an unpatched XP box and nothZxfti23 45X4

[NO CARRIER]
posted by porn in the woods at 1:40 PM on August 1, 2008 [2 favorites has favorites]

Wouldn't be the first time. But my impression from the article was that the web page would have to say "Hey! There's Java on this here page, kick up your JVM", and that I would then attempt to compile the GIFAR and run it. Do I have that backwards? Never said I was a developer... foo...
posted by cavalier at 1:40 PM on August 1, 2008

Do we call this steganaggrophy?
posted by cortex at 1:42 PM on August 1, 2008

but if you disable your browser's java support, you're just fine. so, do that.
posted by saulgoodman at 1:43 PM on August 1, 2008

the web page would have to say "Hey! There's Java on this here page, kick up your JVM", and that I would then attempt to compile the GIFAR and run it

if your browser is configured to allow java execution, the java client just runs the code, without prompting you. doesn't matter if you're at a java intensive site or not.
posted by saulgoodman at 1:45 PM on August 1, 2008

Do I have that backwards?

Nope you've got it right, but they specify that the execution is called for externally:

Then they'd trick the victim into visiting a malicious Web site, which would tell the victim's browser to go open the GIFAR

And yeah, saul, pretty much the only reason my JVM ever gets called is for 1999-style GIF-in-a-lake effects (and occasionally the Yahoo crossword puzzle). Disable it if it's a concern.
posted by uncleozzy at 1:47 PM on August 1, 2008

nothZxfti23 45X4

[NO CARRIER]

I'm really surprised by all the people here who run serial cables to the datacenter mefi is hosted at. Perhaps we can spruce the site up with some ANSI color graphics and Door games.
posted by damn dirty ape at 1:52 PM on August 1, 2008 [9 favorites has favorites]

can someone please explain why this hack would only work on Facebook-type sites?

I think that just being able to upload images isn't even sufficient for this to be a real vulnerability.

So: the attacker uploads a JAR which the server thinks is a GIF but the victim's client executes it as a java applet. So far so good. But for most cases that wouldn't be any different than executing any other java applet on purpose; java can't access any data outside its own little sandbox.

The catch seems to be that a GIFAR runs with the privileges of the hosting site, not that of a random untrusted applet. So if somebody attacked you via facebook, for example, they'd be able to access only whatever information facebook would have access to if they had delivered the java applet to you directly -- but the attacker would still be limited to facebook's sandbox, they wouldn't be able to just dig at will through your hard drive. I assume this is why the report says "The victim would have to be logged into the Web site that is hosting the image for the attack to work."

I don't speak much java, so I'm not exactly sure how much of a problem that would be in real terms -- I guess an attack of this type via facebook could maybe get hold of your facebook login info, for example. Your bank statements will still be safe, though.

(And I'm not certain, but it might also be necessary for the hosting site to be using java for legitimate purposes for this to be a vulnerability, in order for there to be any interesting data for a GIFAR to gain access to. If that's the case, then this is a pretty tiny window of attack: only works on sites which use java for sensitive data and allow users to upload images for other users to view. Nifty hack, though.)
posted by ook at 1:53 PM on August 1, 2008 [2 favorites has favorites]

can someone please explain why this hack would only work on Facebook-type sites? Why wouldn't such an image be able to be displayed on any site?

Their malicious java applet is only able to steal cookies from (and do XmlHttpRequests to) the domain that it originated from. So, when you load malicious code from a site that you are logged in to, then your authentication credentials (cookies) for that site can be compromised. See cross-site scripting for more details. So, social networking sites are ideal for this kind of attack because (a) they let you upload things and (b) people often stay logged in to them while browsing other sites (so, a hidden frame on another random site may covertly load a page from a site that you are logged into steal your cookies from there).

One way to mitigate this particular problem (and many others) is to only enable Java when you actually need to use it (which I haven't in weeks).
posted by finite at 1:54 PM on August 1, 2008 [2 favorites has favorites]

Yeah, I just disabled Java. The two times a year that I end up needing it on a website, I can turn it back on.
posted by TheOnlyCoolTim at 1:54 PM on August 1, 2008

"The Internet Is Broken"

Are we sure this title is alarmist enough? Does NetCraft confirm this? Is our children learning???
posted by greensweater at 1:55 PM on August 1, 2008 [1 favorite has favorites]

Yeah, now that I look, public's o'reilly link up there seems to confirm that last part: "assuming the web server runs a JVM, it allows one to run a malicious java applet on someone else's web server."
posted by ook at 1:58 PM on August 1, 2008

It sounds like this is actually a lot less of a problem then it sounds like. For one thing, the GIFAR will be shown as a GIF initially, you would need to load it from inside an applet tag or object tag, and if the site you're on allows those tags, then you can do a lot of other things too.
posted by delmoi at 2:01 PM on August 1, 2008

So: the attacker uploads a JAR which the server thinks is a GIF but the victim's client executes it as a java applet. So far so good. But for most cases that wouldn't be any different than executing any other java applet on purpose; java can't access any data outside its own little sandbox.

The attacker uploads a file that has a valid GIF at the start of the file and a valid JAR file (a ZIP file with headers at the END) at the end of the file. Loading this as an image with an <img> tag in your browser is not going to do anything but display the image. The attacker has to trick you into viewing a page with a complementary <applet> tag. that then loads and executes the JAR.
posted by mkb at 2:02 PM on August 1, 2008

Are we sure this title is alarmist enough?

The Internet Emits A High Frequency Wave That Is Both Lobotomizing You And Giving You Cancer. Also, It Is Selling Your Children Marijuana Laced With Horse Tranquilizers and It Took Out Insurance On Your House And It's Planning On Torching The Place, Collecting The Money, And Then Skipping Town.
posted by quin at 2:04 PM on August 1, 2008 [2 favorites has favorites]

"assuming the web server runs a JVM, it allows one to run a malicious java applet on someone else's web server."

I think the author of that entry is missing something. This is an attack on a client. Do web servers typically try to load image files as JARs, even if they have a JVM?
posted by mkb at 2:05 PM on August 1, 2008 [1 favorite has favorites]

Yeah, now that you mention it, I think you're right, mkb; that doesn't make a lot of sense. (I also think you're probably right about the <applet> tag, which may be where that confusion came from.)

In any case, this is sounding less like "the internet is broken" than "the internet is vulnerable to Rube Goldberg".
posted by ook at 2:12 PM on August 1, 2008

quonsar in arsehole shocker.
posted by ciderwoman at 2:19 PM on August 1, 2008 [1 favorite has favorites]

Bring. It. On!
posted by StickyCarpet at 2:30 PM on August 1, 2008

I can't tell you how sad I am that I can't find a clip of Jafar getting his eyes examined from that Family Guy episode, liked with the text "Jafar after Goatse GIFAR."

sigh
posted by davejay at 2:32 PM on August 1, 2008

Isn't this the same reason we no longer can use the image tag on metafilter?
posted by pwb503 at 2:39 PM on August 1, 2008

First it takes your childlike sense of innocence, then it takes your cash.
posted by tommasz at 2:52 PM on August 1, 2008 [4 favorites has favorites]

This sounds like another variation on cross-site scripting, which I attack with good user practices at this point; I access any websites with sensitive information in a separate browser process from other casual browsing, which in turn isolates my sensitive authentication information from potentially malicious code the latter group. Or sometimes, when I'm feeling really paranoid, I close down all of my browsers, before opening a new one to do bank transactions or whatnot.

I know the whole 'the internet is broken' thing reeks of hyperbole, but I have to admit, my introduction to the cross-site scripting class of vulnerabilities was the first time in a long time that I had to stop and reassess my (already pretty stringent) strategies for safe internet access. And given the subtleties in those types of attacks, even to my tech/security-centric thinking, I projected their effect on my non-tech-savvy friends and relations, and wept silently for the identity theft to come.
posted by Brak at 2:55 PM on August 1, 2008 [1 favorite has favorites]

I don't understand any of this stuff, but didn't this come up a year or two ago and isn't it the reason that Matt pulled the image tag?
posted by LarryC at 3:47 PM on August 1, 2008

I too have a giant gaping 0 in my bank account.
posted by srboisvert at 3:56 PM on August 1, 2008 [2 favorites has favorites]

but didn't this come up a year or two ago and isn't it the reason that Matt pulled the image tag?

no.
posted by quonsar at 4:20 PM on August 1, 2008 [1 favorite has favorites]

Different security issue, but he did originally pull them for security. Gotta love it when security bugs result in a better outcome. :)
posted by Malor at 4:36 PM on August 1, 2008

"I close down all of my browsers, before opening a new one to do bank transactions or whatnot."

This is my usual method.

If it's really sensitive data, I buy a new laptop, use it, then burn it afterward.
posted by mr_crash_davis at 5:10 PM on August 1, 2008

The Jafar puns make me wonder why people pronounce gif with a soft g.
posted by shakespeherian at 5:11 PM on August 1, 2008 [1 favorite has favorites]

The Jafar puns make me wonder why people pronounce gif with a soft g.

For the same reason people pronounce Linux the way they do.
posted by bh at 5:23 PM on August 1, 2008

Because choosy moms choose gif.
posted by graventy at 6:24 PM on August 1, 2008

porn in the woods writes "[NO CARRIER]"

I wonder whether anyone born after 1985 or so gets this bit.
posted by Mitheral at 10:37 PM on August 1, 2008

Their malicious java applet is only able to steal cookies from (and do XmlHttpRequests to) the domain that it originated from.

The simple solution for any social site is to serve up images from a different domain. I.e. facebook should serve up its images from facebookimages.com, or just the ip address, 69.63.176.140.

This general class of attack and the defenses against it are pretty well discussed in this book. [disclaimer: I am friends with one of the authors]
posted by breath at 1:35 AM on August 2, 2008

After watching java.exe sit there taking up 90-odd meg of RAM on my low-spec laptop, and watching the process restart itself every time I tried to kill it off, I uninstalled Java last week (and am currently loving the new lease on life all that memory being returned has given this old beast). I can't remember the last time I used Java for anything useful, although I was into Processing for a while. Now my decision is feeling even smarter.
posted by Jimbob at 3:46 AM on August 2, 2008

The Jafar puns make me wonder why people pronounce gif with a soft g.

Hey man, when I downloaded my first grainy, monochrome GIF of Marina Sirtis' face composited onto a nudie shot, that was the common pronunciation.
posted by uncleozzy at 8:10 AM on August 2, 2008

OK, I know Heasman. I've worked in the same office as Heasman. He's awesome. He's been doing some fantastically tricky thing to Java as of late.

The GIFAR thing is a known class of issue. We've been having GIFs that can render as Javascript for years. This, specifically, is why it's not safe for any site to allow user generated files to be loaded from a domain that contains private data. And that's what you see, generally, in the field -- MySpace hosting their images from myspacecdn, Flickr from yimg, Google Cache from IP addresses, and so on.

Browser security is something of a hack, but it gets a lot more crap than it should. It does actually work a lot better than a lot of other things.
posted by effugas at 10:15 AM on August 2, 2008

Regarding the killing of the img tag on Metafilter, I expect that has more to do with defenses against CSRF (Cross-Site Request Forgery) -- specifically, there used to be a decent number of ways a malicious img link could combine with your user credentials to mess things up. REST is unfortunately beautiful but difficult to secure, and vulnerability to img links is one of its traits.
posted by effugas at 10:17 AM on August 2, 2008