Transitioning From Web Developer to Comic Book Author:

28 Apr 2006

by antic

No Comments

News

Ma.gnolia Exploit: SpamMarking?

I just hacked out a little exploit/”proof of concept” for automatically bookmarking a site on ma.gnolia without the user noticing. This is a very simple hack, based on prefetching a link to a bookmarklet. If you are using Firefox or any other browser that uses prefetching (and you have a ma.gnolia account). check it out. You’ve just bookmarked this site :)


     // this script will set a prefetch link on a page, which, if the browser has prefetching enabled, will bookmark the site on ma.gnolia.com
     // this is an inherent security hole in automatic bookmarklets. The point of having them is to accept user input from 3rd party locations--therefore, it can't be trusted.

     function magnoliaBookmark()
     {
          s=String(window.getSelection()).replace(/ {2,}/g,'%20').replace(/^ | $/g,'');
          m='';
          d='';
          metas=document.getElementsByTagName('meta');
          for(count=0;count');
          }

          magnoliaBookmark();

This technique can be used on any other site that allows a link to add information to a users account without further user interaction. I can think of several fixes for this but:

  • Image verification
  • Passphrase verification
  • Simply any further interaction of any kind from the processing page.

I’m sure you can come up with countless more fixes… It’s just not safe to allow someone to so easily add information to an account. Del.icio.us has a better way of doing it. Although not as transparent and seemless, it requires the user to hit ‘save’ before adding the bookmark. Granted this too could be bypassed by opening the del.icio.us URL in a new window and then using javascript to submit the form within that window, then close the window (all of which could be done in a matter of miliseconds–before the user could see what was happening).

I’m all for web 2.0 but we must be careful not to fall into huge security traps while we build these cool sites. Ma.gnolia.com is still pretty damn cool.
If you hate this site, feel free to delete it from your ma.gnolia account :)

No Comments

« Previous Post 
 Next Post »