Comments on: lolcatting all the way to the bank

lolcatting all the way to the bank

quonsar — Fri, 01 Aug 2008 13:11:34 -0800

goatse hijacked my bank account

By: uncleozzy

uncleozzy — Fri, 01 Aug 2008 13:15:52 -0800

GIFAR?

By: Shepherd

Shepherd — Fri, 01 Aug 2008 13:17:22 -0800

...and that is why I use Firefox and NoScript.

By: public

public — Fri, 01 Aug 2008 13:19:22 -0800

Not entirely sure why this has broken again today it first came out a month ago.

By: roll truck roll

roll truck roll — Fri, 01 Aug 2008 13:20:03 -0800

For stupid people, can someone please explain why this hack would only work on Facebook-type sites? Why wouldn't such an image be able to be displayed on any site?

By: mr_crash_davis

mr_crash_davis — Fri, 01 Aug 2008 13:21:21 -0800

"There is one catch, however. The victim would have to be logged into the Web site that is hosting the image for the attack to work. 'The attack is going to work best wherever you leave yourself logged in for long periods of time,' Heasman said." Bastards! They've obviously developed this attack with Metafilter in mind!

By: Debaser626

Debaser626 — Fri, 01 Aug 2008 13:21:29 -0800

He and his fellow Black Hat presenters have entitled their talk The Internet is Broken. So fix it. Oh wait, you can't. So it's not so much broken, as it's flawed. To a certain degree, like having a window in your house is a "flaw." Sure, it makes it look pretty, adds some functionality in resale, but "they" can use it to get in. Soooo.... you make a stronger window, "they" get a better crowbar, add a security system, "they" find the callbox, and on and on.

By: Ambrosia Voyeur

Ambrosia Voyeur — Fri, 01 Aug 2008 13:23:31 -0800

goatse hijacked my bank account, murdered my parents and drove my husband and children to leave me. All for the *snif* lulz.

By: Debaser626

Debaser626 — Fri, 01 Aug 2008 13:24:37 -0800

For stupid people, can someone please explain why this hack would only work on Facebook-type sites? Why wouldn't such an image be able to be displayed on any site? I think they said the the image would have to be user-uploaded, so the site would have to allow for image uploads.

By: xorry

xorry — Fri, 01 Aug 2008 13:28:07 -0800

I'm not following that link..

By: ardgedee

ardgedee — Fri, 01 Aug 2008 13:29:07 -0800

> can someone please explain why this hack would only work on Facebook-type sites? It probably works on any website the attacker can upload an image to. A profile on Facebook is more likely to be visited by random people than a page on a brand-new website somewhere. The author of the writeup is partly trying to grab attention by namedropping, and partially illuminating a real consequence of how people currently use the web.

By: mark242

mark242 — Fri, 01 Aug 2008 13:30:16 -0800

The fix for this is (probably) to have your Java runtime actually look at the MIME type being sent by the webserver, and refuse to actually execute code that wasn't application/x-java-archive. The alternative (making every webserver verify the magic number of the file versus the extension and mime type) is probably too big of a problem to fix.

By: cavalier

cavalier — Fri, 01 Aug 2008 13:30:40 -0800

I like that the security blog memed it as "lolcat stole your [bank account, etc]" yet here we've memed it as goatse. Someone could write a paper on that. Neat idea -- shoving java into a GIF onto an unsuspecting web page that is already processing java. Pisser that those social websites need so much java to do their fancypants things.

By: Mister_A

Mister_A — Fri, 01 Aug 2008 13:31:49 -0800

Gross!

By: boo_radley

boo_radley — Fri, 01 Aug 2008 13:35:34 -0800

that's not the only thing goatse is jacking [UNF UNF UNF UNF]

By: mrgrimm

mrgrimm — Fri, 01 Aug 2008 13:35:34 -0800

Seconding the NoScript extension. I'm not as confident as Shepherd that it solves the problem entirely, but why not use it.

By: uncleozzy

uncleozzy — Fri, 01 Aug 2008 13:35:56 -0800

shoving java into a GIF onto an unsuspecting web page that is already processing java. Pisser that those social websites need so much java to do their fancypants things. I think you might be confusing Java and JavaScript. The hook here is that you're just using the social whatnot site to host the image/JAR and draw people into the trap, not that it has anything to do with executing the malicious code.

By: porn in the woods

porn in the woods — Fri, 01 Aug 2008 13:40:15 -0800

Nonsense. I've been surfing 4chan all morning on an unpatched XP box and nothZxfti23 45X4 [NO CARRIER]

By: cavalier

cavalier — Fri, 01 Aug 2008 13:40:36 -0800

Wouldn't be the first time. But my impression from the article was that the web page would have to say "Hey! There's Java on this here page, kick up your JVM", and that I would then attempt to compile the GIFAR and run it. Do I have that backwards? Never said I was a developer... foo...

By: cortex

cortex — Fri, 01 Aug 2008 13:42:31 -0800

Do we call this steganaggrophy?

By: saulgoodman

saulgoodman — Fri, 01 Aug 2008 13:43:22 -0800

but if you disable your browser's java support, you're just fine. so, do that.

By: saulgoodman

saulgoodman — Fri, 01 Aug 2008 13:45:44 -0800

the web page would have to say "Hey! There's Java on this here page, kick up your JVM", and that I would then attempt to compile the GIFAR and run it if your browser is configured to allow java execution, the java client just runs the code, without prompting you. doesn't matter if you're at a java intensive site or not.

By: uncleozzy

uncleozzy — Fri, 01 Aug 2008 13:47:00 -0800

Do I have that backwards? Nope you've got it right, but they specify that the execution is called for externally:

Then they'd trick the victim into visiting a malicious Web site, which would tell the victim's browser to go open the GIFAR

And yeah, saul, pretty much the only reason my JVM ever gets called is for 1999-style GIF-in-a-lake effects (and occasionally the Yahoo crossword puzzle). Disable it if it's a concern.

By: damn dirty ape

damn dirty ape — Fri, 01 Aug 2008 13:52:36 -0800

nothZxfti23 45X4 [NO CARRIER] I'm really surprised by all the people here who run serial cables to the datacenter mefi is hosted at. Perhaps we can spruce the site up with some ANSI color graphics and Door games.

By: ook

ook — Fri, 01 Aug 2008 13:53:47 -0800

can someone please explain why this hack would only work on Facebook-type sites? I think that just being able to upload images isn't even sufficient for this to be a real vulnerability. So: the attacker uploads a JAR which the server thinks is a GIF but the victim's client executes it as a java applet. So far so good. But for most cases that wouldn't be any different than executing any other java applet on purpose; java can't access any data outside its own little sandbox. The catch seems to be that a GIFAR runs with the privileges of the hosting site, not that of a random untrusted applet. So if somebody attacked you via facebook, for example, they'd be able to access only whatever information facebook would have access to if they had delivered the java applet to you directly -- but the attacker would still be limited to facebook's sandbox, they wouldn't be able to just dig at will through your hard drive. I assume this is why the report says "The victim would have to be logged into the Web site that is hosting the image for the attack to work." I don't speak much java, so I'm not exactly sure how much of a problem that would be in real terms -- I guess an attack of this type via facebook could maybe get hold of your facebook login info, for example. Your bank statements will still be safe, though. (And I'm not certain, but it might also be necessary for the hosting site to be using java for legitimate purposes for this to be a vulnerability, in order for there to be any interesting data for a GIFAR to gain access to. If that's the case, then this is a pretty tiny window of attack: only works on sites which use java for sensitive data and allow users to upload images for other users to view. Nifty hack, though.)

By: finite

finite — Fri, 01 Aug 2008 13:54:00 -0800

can someone please explain why this hack would only work on Facebook-type sites? Why wouldn't such an image be able to be displayed on any site? Their malicious java applet is only able to steal cookies from (and do XmlHttpRequests to) the domain that it originated from. So, when you load malicious code from a site that you are logged in to, then your authentication credentials (cookies) for that site can be compromised. See cross-site scripting for more details. So, social networking sites are ideal for this kind of attack because (a) they let you upload things and (b) people often stay logged in to them while browsing other sites (so, a hidden frame on another random site may covertly load a page from a site that you are logged into steal your cookies from there). One way to mitigate this particular problem (and many others) is to only enable Java when you actually need to use it (which I haven't in weeks).

By: TheOnlyCoolTim

TheOnlyCoolTim — Fri, 01 Aug 2008 13:54:11 -0800

Yeah, I just disabled Java. The two times a year that I end up needing it on a website, I can turn it back on.

By: greensweater

greensweater — Fri, 01 Aug 2008 13:55:31 -0800

"The Internet Is Broken" Are we sure this title is alarmist enough? Does NetCraft confirm this? Is our children learning???

By: ook

ook — Fri, 01 Aug 2008 13:58:39 -0800

Yeah, now that I look, public's o'reilly link up there seems to confirm that last part: "assuming the web server runs a JVM, it allows one to run a malicious java applet on someone else's web server."

By: delmoi

delmoi — Fri, 01 Aug 2008 14:01:01 -0800

It sounds like this is actually a lot less of a problem then it sounds like. For one thing, the GIFAR will be shown as a GIF initially, you would need to load it from inside an applet tag or object tag, and if the site you're on allows those tags, then you can do a lot of other things too.

By: mkb

mkb — Fri, 01 Aug 2008 14:02:45 -0800

So: the attacker uploads a JAR which the server thinks is a GIF but the victim's client executes it as a java applet. So far so good. But for most cases that wouldn't be any different than executing any other java applet on purpose; java can't access any data outside its own little sandbox. The attacker uploads a file that has a valid GIF at the start of the file and a valid JAR file (a ZIP file with headers at the END) at the end of the file. Loading this as an image with an <img> tag in your browser is not going to do anything but display the image. The attacker has to trick you into viewing a page with a complementary <applet> tag. that then loads and executes the JAR.

By: quin

quin — Fri, 01 Aug 2008 14:04:41 -0800

Are we sure this title is alarmist enough? The Internet Emits A High Frequency Wave That Is Both Lobotomizing You And Giving You Cancer. Also, It Is Selling Your Children Marijuana Laced With Horse Tranquilizers and It Took Out Insurance On Your House And It's Planning On Torching The Place, Collecting The Money, And Then Skipping Town.

By: mkb

mkb — Fri, 01 Aug 2008 14:05:34 -0800

"assuming the web server runs a JVM, it allows one to run a malicious java applet on someone else's web server." I think the author of that entry is missing something. This is an attack on a client. Do web servers typically try to load image files as JARs, even if they have a JVM?

By: ook

ook — Fri, 01 Aug 2008 14:12:42 -0800

Yeah, now that you mention it, I think you're right, mkb; that doesn't make a lot of sense. (I also think you're probably right about the <applet> tag, which may be where that confusion came from.) In any case, this is sounding less like "the internet is broken" than "the internet is vulnerable to Rube Goldberg".

By: ciderwoman

ciderwoman — Fri, 01 Aug 2008 14:19:43 -0800

quonsar in arsehole shocker.

By: StickyCarpet

StickyCarpet — Fri, 01 Aug 2008 14:30:35 -0800

Bring. It. On!

By: davejay

davejay — Fri, 01 Aug 2008 14:32:01 -0800

I can't tell you how sad I am that I can't find a clip of Jafar getting his eyes examined from that Family Guy episode, liked with the text "Jafar after Goatse GIFAR." sigh

By: pwb503

pwb503 — Fri, 01 Aug 2008 14:39:15 -0800

Isn't this the same reason we no longer can use the image tag on metafilter?

By: tommasz

tommasz — Fri, 01 Aug 2008 14:52:15 -0800

First it takes your childlike sense of innocence, then it takes your cash.

By: Brak

Brak — Fri, 01 Aug 2008 14:55:16 -0800

This sounds like another variation on cross-site scripting, which I attack with good user practices at this point; I access any websites with sensitive information in a separate browser process from other casual browsing, which in turn isolates my sensitive authentication information from potentially malicious code the latter group. Or sometimes, when I'm feeling really paranoid, I close down all of my browsers, before opening a new one to do bank transactions or whatnot. I know the whole 'the internet is broken' thing reeks of hyperbole, but I have to admit, my introduction to the cross-site scripting class of vulnerabilities was the first time in a long time that I had to stop and reassess my (already pretty stringent) strategies for safe internet access. And given the subtleties in those types of attacks, even to my tech/security-centric thinking, I projected their effect on my non-tech-savvy friends and relations, and wept silently for the identity theft to come.

By: LarryC

LarryC — Fri, 01 Aug 2008 15:47:16 -0800

I don't understand any of this stuff, but didn't this come up a year or two ago and isn't it the reason that Matt pulled the image tag?

By: srboisvert

srboisvert — Fri, 01 Aug 2008 15:56:22 -0800

I too have a giant gaping 0 in my bank account.

By: quonsar

quonsar — Fri, 01 Aug 2008 16:20:49 -0800

but didn't this come up a year or two ago and isn't it the reason that Matt pulled the image tag? no.

By: Malor

Malor — Fri, 01 Aug 2008 16:36:48 -0800

Different security issue, but he did originally pull them for security. Gotta love it when security bugs result in a better outcome. :)

By: mr_crash_davis

mr_crash_davis — Fri, 01 Aug 2008 17:10:42 -0800

"I close down all of my browsers, before opening a new one to do bank transactions or whatnot." This is my usual method. If it's really sensitive data, I buy a new laptop, use it, then burn it afterward.

By: shakespeherian

shakespeherian — Fri, 01 Aug 2008 17:11:59 -0800

The Jafar puns make me wonder why people pronounce gif with a soft g.

By: bh

bh — Fri, 01 Aug 2008 17:23:20 -0800

The Jafar puns make me wonder why people pronounce gif with a soft g. For the same reason people pronounce Linux the way they do.

By: graventy

graventy — Fri, 01 Aug 2008 18:24:28 -0800

Because choosy moms choose gif.

By: Mitheral

Mitheral — Fri, 01 Aug 2008 22:37:24 -0800

porn in the woods writes "[NO CARRIER]" I wonder whether anyone born after 1985 or so gets this bit.

By: breath

breath — Sat, 02 Aug 2008 01:35:54 -0800

Their malicious java applet is only able to steal cookies from (and do XmlHttpRequests to) the domain that it originated from. The simple solution for any social site is to serve up images from a different domain. I.e. facebook should serve up its images from facebookimages.com, or just the ip address, 69.63.176.140. This general class of attack and the defenses against it are pretty well discussed in this book. [disclaimer: I am friends with one of the authors]

By: Jimbob

Jimbob — Sat, 02 Aug 2008 03:46:18 -0800

After watching java.exe sit there taking up 90-odd meg of RAM on my low-spec laptop, and watching the process restart itself every time I tried to kill it off, I uninstalled Java last week (and am currently loving the new lease on life all that memory being returned has given this old beast). I can't remember the last time I used Java for anything useful, although I was into Processing for a while. Now my decision is feeling even smarter.

By: uncleozzy

uncleozzy — Sat, 02 Aug 2008 08:10:52 -0800

The Jafar puns make me wonder why people pronounce gif with a soft g. Hey man, when I downloaded my first grainy, monochrome GIF of Marina Sirtis' face composited onto a nudie shot, that was the common pronunciation.

By: effugas

effugas — Sat, 02 Aug 2008 10:15:04 -0800

OK, I know Heasman. I've worked in the same office as Heasman. He's awesome. He's been doing some fantastically tricky thing to Java as of late. The GIFAR thing is a known class of issue. We've been having GIFs that can render as Javascript for years. This, specifically, is why it's not safe for any site to allow user generated files to be loaded from a domain that contains private data. And that's what you see, generally, in the field -- MySpace hosting their images from myspacecdn, Flickr from yimg, Google Cache from IP addresses, and so on. Browser security is something of a hack, but it gets a lot more crap than it should. It does actually work a lot better than a lot of other things.

By: effugas

effugas — Sat, 02 Aug 2008 10:17:33 -0800

Regarding the killing of the img tag on Metafilter, I expect that has more to do with defenses against CSRF (Cross-Site Request Forgery) -- specifically, there used to be a decent number of ways a malicious img link could combine with your user credentials to mess things up. REST is unfortunately beautiful but difficult to secure, and vulnerability to img links is one of its traits.