View GWT Metrics in Firebug

GWT's Lightweight Metrics System provides insight on latency issues. Unfortunately, using it requires downloading and compiling a debug module, or requires writing a javascript collector method.

Here's introducing gwtmetrics - a bookmarklet that allows you to view metrics for any GWT website without modifying code. The current version uses firebug's console to display metrics; the next version plans to use YUI's log console.

So if you have firebug enabled, drag this link to your bookmarks folder. Visit any GWT website (Orkut, for example), and click on the bookmark. You should see metrics getting logged in firebug.

This system provides a lot more insight than firebug's net panel. For example, it tells you the time spent in your AsyncCallback implementation. Additionally, if you add your own instrumentation, this framework would be able to display the metrics without any change.

If you would like more control, you can download the js library (no dependencies) and include it in your host.html just before your module.nocache.js file.

<script type="text/javascript" language="javascript" src="http://degwt.googlecode.com/svn/trunk/static/js/gwtmetrics.js"></script>
<script>gwtmetrics('firebug');</script>

Including the script obviously requires a code change, but it allows you to view  startup metrics that's not possible with the bookmarklet.

Comments and feedback are welcome. If you encounter a problem, leave a message, or better, create an issue.

--Sri

Stop a nuclear disaster -- or stop stealing email accounts?

I have received 3 emails the past two weeks about stopping a nuclear disaster - all from people who had my email in their address book.  The email tells why the civil liability for nuclear damage bill should not be passed - and in the end asks me to sign a petition. I sign the petition, and then it redirects me to this page which asks me for my email and password.

Read that again - they ask me for my email and password, so that they can get my address book and send an email on my behalf to all my contacts. And people are actually giving their passwords away.


Sadly, its just another case of spammers using social engineering to get their job done.

Indian Banks Promoting Phishing

What's the first thing that comes to your mind when you see URLs like

• healthinsurance-icicilombard.com original
• icici-homeloans.com original
• bajaj-allianz.co.in original
• bajajallianz-igain.com original
• hdfcbankcarloans.co.in original
• hdfcbankpersonalloans.co.in original

Phishing websites, right? What if I tell you the said institutions are actually promoting these urls to generate leads?

These well known financial institutions have approached a search engine marketing company. The company in turn creates these websites, and promotes them on the internet. Any icici home loan advertisement on the internet takes you to this look-alike website.

My initial thought was that banks are unaware of this. I contacted the marketing company to learn more, and they told me "We are a search engine marketing company and we have contractual agreement with these financial institutions to create, host and promote their site on search engines". In fact, they have published a case-study on ICICI on their website. (Don't want to name the company. If you are interested, run a whois on any of the above domain names. All websites are hosted on the same ip address, by the same marketing company)

Why is the marketing company promoting these look-alike domains? Perhaps they are routing the customer details to a direct sales agency rather than the bank. Its easier to create a one-page website rather than integrating with the bank's official website. Or perhaps its some SEO trick; the look-alike domain can have pages & keywords that are seo friendly.

Apart from the privacy concerns, this is actually a larger issue - the banks are promoting phishing. A phisher could easily take up another domain like icicibank-personal-loans.com (available at the time of writing) and use it to steal personal information. How is the average internet user going to figure out its a fake?

Banks should take phishing a bit more seriously. On one hand they run campaigns "Don't enter personal information unless its https and the url reads icicibank". And on the other, they advertise and market look-alike websites to generate leads. Its plain double standards.

Times of India & the Fake Google Article

If you have come to this page reading about Google's cool new features, relax. You have fallen prey to Google's April Fool Pranks. Every year since 2000, Google has announced various pranks on April 1st. I just researched them and made a fictitious story around it.

But how did it show up in Times Of India?
That's the purpose of this article.

Cross Site Scripting & TOI
Cross Site Scripting, or XSS, is a vulnerability that allows an attacker to introduce malicious javascript or html code into a webpage. The wikipedia article on XSS, the OWASP website, and the XSS Cheat Sheet by R Snake are excellent places to learn more about this menace.

The Times of India website has XSS vulnerabilities all over the place, making it trivial to find a loophole. So, to make the fake article, I just exploited a vulnerability to inject an IFrame into the source. The Iframe points to this page, which is hosted on 530geeks.com. To the end user, of course, it looks like Times Of India is hosting the article.

Someone with malicious intents can do much worse things. They could write an article in Times of India saying IPhones have become cheaper in India, then link to Indiatimes Shopping website (which also has XSS), and ultimately steal your credit card number. Or they could steal your credentials and gain access to your indiatimes email.

So what is Indiatimes doing about it?
Unfortunately, nothing.
I tried to contact Indiatimes and Times of India several times via their 'Contact Us' Page, and via emails. For the past 20 days, I have been waiting for a response, but haven't heard anything from them.

Hopefully, if all of us write to them, they will start fixing these bugs.

Thanks for reading!

Security Review of indiatimes, rediff, in.com and sify

I recently did some investigation on the security of some popular web portals - indiatimes.com, rediff.com, in.com and sify.com. Each of these portals provide free email, and according to Alexa and Vizisense, have a lot of users. So naturally, web security should be a big concern for them.

To my surprise, none of these websites seem to care about user security. There are many loopholes on their websites, and I am surprised there haven't yet been reports of attacks on these sites.

I. Cross Site Scripting
Cross Site Scripting (aka XSS) occurs when an attacker is able to insert javascript code into a webpage by providing special input sequences. The attacker can exploit this vulnerability to steal personal information from your account.

To exploit this vulnerability, an attacker carefully constructs a url and sends it to the victim via an email, or a social networking website. Once the victim clicks the link, his session information is made available to the attacker. At this point, its as if the victim logged into the website and gave it to the attacker.

Each of the 4 websites has XSS vulnerabilities on almost every page. If these websites have to prevent XSS, they have to pretty much revisit every page on their website and make changes. Daunting task, to say the least.

II. Update Password & Password Recovery
Assume you forget to signout from email, and your colleague uses your computer and gets into your account. Or assume that an attacker somehow got access to your session using the XSS trick mentioned above. Should they be allowed to reset your password, or worse, shown your current password?

Definitely Not. All sensitive pages must require the user to re-enter the password. That's a basic tenet. Thats why bank websites require you to enter a separate transaction password before transferring money. Unfortunately, all portals (other than rediff.com) violate this in some way or the other.

Indiatimes doesn't let you change the password without asking for your current password. But your colleague can always perform the following operations -

1. Change the security question and answer
2. Logout and click on "Forgot Password"
3. Enter the security question and answer
4. View the current password
   
5. Login again (she now has the password), and reset the security question and answer to previous values.

Sify.com is a little better. When you try to change your password, it asks you for your current password OR your security answer. But, the security answer is present in the HTML source, so your colleague can just read the answer and update your password. The only good thing is that she won't know your current password, so you will figure out something is wrong the next time you try to login (by which time its already too late).

With In.com, your colleague can update the secondary email address , and then reset the password via the 'Forgot Your Password' flow. Similar to sify, your current password is not compromised.

Rediff.com requires you to enter password on all sensitive screens, and so your password cannot be reset or compromised.

III. Remember Me Functionality
"Remember Me" functionality allows your session to remain active for extended periods of time, usually till you log out. In order for this to work, websites store a random key in a persistent cookie. This random key identifies the user, but is cryptographically strong making it impossible for attackers to guess the token.

Rather than using such tokens, Indiatimes directly stores the user name and password in the persistent cookie. Anyone monitoring the http traffic can see your credentials. And anybody who knows to read cookies from a browser, or who knows a little about XSS can get the credentials.

Other portals, thankfully, don't have these problems

IV. SQL Injection
SQL Injection is best explained by the following comic (from xkcd.com)


An attacker enters special characters in various input fields on the website, and they are treated as commands by the underlying database. It is an easy way to steal information, or delete critical information from the database. Very dangerous if such a vulnerability exists, but very easy to prevent.

Sify.com has a pretty serious SQL Injection Vulnerability. To make things easier for the attacker, the SQL query that is executed is actually printed in the underlying HTML. For obvious reasons, I can't disclose the specific page that has this vulnerability.

Other websites may or may not have SQL Injection vulnerabilities, I just didn't do a thorough analysis.

V. Using One-Way Hashes to store passwords
The first rule to storing sensitive information is simple - don't store it at all. Passwords and password recovery answers fall in this category. It is never advisable to store passwords in the database. Instead, the salted hash of the password should be stored in the database.

Indiatimes doesn't use this technique. It stores the passwords (perhaps in cleartext?) in its database, and even emails them back to you if you request it to do so. This means any indiatimes employee, contractor or vendor can read your credentials. It means if the database is compromised, every user in the system will have his account compromised. And because most users reuse their passwords, other accounts are likely to be compromised as well.

Other websites don't seem to store the passwords, but there is no way to be sure of that unless you work for them . We just know they don't send back the original password.

VI. Cross Site Request Forgery
Cross Site Request Forgery, or XSRF, allows an attacker website to issue commands to another website from the users browser. To the target website, the commands seem to come from the user himself, making this attack very difficult to identify.

XSRF is a pretty serious threat, but unfortunately there is no way to fix it without first fixing XSS holes. In fact, if a website has XSS vulnerabilities, an attacker doesn't have to bother about using XSRF.

Neverthless, all 4 websites have XSRF vulnerabilities.

What can I do?
As a user -

1. Don't store any important information on these portals. This means you shouldn't use their emails for any business or official work.
2. When you are logged on to these websites, do not click on any ads or links that come in an email. Also, avoid visiting other websites, especially random ones that appear in a search result.
3. After use, immediately log out and clear your browser cookies.
   
4. Finally, send emails or feedback to the developers of these portals. If enough number of people complain, I guess they will start fixing these issues.

As a developer -

• Familiarize yourself with the various web security threats. The OWASP website is a great place to get started. You may want to go through the developer guide, and the OWASP Top Ten.
  
• If you work with any on these web portals, feel free to contact me so that I can provide additional details on these vulnerabilities. For obvious reasons, these cannot be shared publicly.

Thanks for reading!
Sripathi Krishnan