Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacking Web Services

Posted by Hemos on from the getting-it-work dept.

siduri writes "Udi Manber, chief scientist at Yahoo!, gave a great talk on the kinds of hacks that Yahoo sees at the IEEE's Symposium on Security and Privacy. I wrote an overview of his talk for Dr. Dobb's Journal. While some of the message is well-known stuff (like that people will spend a lot of time hacking the most trivial things), the details of what Yahoo has to deal with are really pretty interesting."

7 of 226 comments (clear)

  1. Access To Manber's Paper...And More by cybrpnk2 · · Score: 4, Informative

    The IEEE Symposium on Security and Privacy is one of the longest-running forums on this topic and is well worth being aware of. The papers for the 2002 session are on CD-ROM; so is a compilation of those from 1980-1999...

  2. Yahoo's problems... by Jace+of+Fuse! · · Score: 5, Informative

    Yahoo's problems are massive, and I think it's good that at least SOME people at Yahoo realize it, even though I'm still not convinced they are aware of the full scale of the problem.

    After all, if you chat with Yahoo's service, you're eventually going to be booted off by another user. Some of the methods users use to exploit the system and kick off other users are clever, some are not so clever.

    One method involves running a program easily downloaded off of the internet and typing in the desired victims name. It's your basic "Punter". Some of the programs available are effective at removing users of Yahoo's Messenger, while a few of the more recent ones do a good job taking out users who use 3rd party Yahoo clients, or even Yahoo's web-based Java client.

    These methods of exploitation are half-way understandable, though I don't see why Yahoo hasn't worked to block the attacks in the same way that AOL has with AIM.

    The other method, plain old boot-text, is simply unacceptable.

    If I were chatting with someone using Yahoo Messenger and they annoyed me, all I would have to do is send them a single URL with an unrealistically long domain name in it, and their Yahoo Messenger will crash. A URL such as www.xxxxx.com with about 400 to 500 X's in the name will work nicely.

    It's a relatively simple matter for the end user to set up a personal word-filter on their messenger and block out all occurences of "www." which effectively makes them invulnerable to this attack, but that is not the issue. The issue is, that if Yahoo has such easily exploitable end-user software, I'm very worried about the quality of their security as a whole.

    Think about it.

    --

    "Everything you know is wrong. (And stupid.)"

    Moderation Totals: Wrong=2, Stupid=3, Total=5.
  3. Reverse authentication by Erasmus+Darwin · · Score: 4, Informative
    It's a shame his reverse authentication idea will never take off. I've actually wished there were something already available along these lines. As it currently stands, email addresses are a dime a dozen, IP addresses can change every few minutes (for dialup and DSL users, at least), and proxies allow a user to avoid even a broad IP range block.

    So it would be a great boon to web services if there were a way to somehow have a way of confirming that a person hasn't already signed up for a service. It'd allow many boards to weed-out their troll population while maintaining an open sign-up. On one forum I was on, the problem was so bad that registration was completely closed then later moved to a pay-only model.

    The problem is that I can't see any way to do it without compromising the identities of the people. For example, I don't see a problem with Slashdot knowing that 'Erasmus Darwin' is my only Slashdot account, but I don't want to create a system where they could theoretically share records with another entity and use that to determine my identity there. Perhaps the identity token I provide to Slashdot could be some sort of one-way hash of my identity combined with '@slashdot.org', thereby limiting it to a single area.

    One downside of this system is that a government-type institution with a search warrant could use my secret identity information to reproduce my Slashdot token and verify my identity. I don't see any way to prevent the identification from somehow serving to find-out who I am. Still, that theoretically pushes the identification process off to a similar level of difficulty to tracing the user's IP (i.e. Slashdot couldn't do it on its own). Thus, if we pretend that no one uses anonymizing web proxies, it's the same level of anonymity.

    Also, there'd be a problem of issuing the secret identity keys. Presumably, this would be handled by the companies that already do encryption/security certificates. That means there'd be a cost associated with such keys, which would turn away a number of people. If only a small percentage of people fork over the $XX/year for a personal identity certificate, most sites won't be able to require their use for signup. Furthermore, it'd be difficult for the issuing agency to verify the uniqueness of each request, especially when we consider that this would have an international audience. I also wouldn't be surprised if some of the countries that have whored out their ccTLDs decided to also start selling their equivilent of SSNs to people interested in extra identities.

    Finally, there'd be the issue of identity theft. Having a single, computer-based identity key would be a very tempting target for various malicious programs. If I were an evil spammer type and such an identity system were in place, I'd definitely try and steal as many identities as possible for sign up use.

  4. Re:i am a penny-stealer by Fulcrum+of+Evil · · Score: 4, Informative

    In the case of E-Bay and user lockout, there is no exact solution

    In this case, a lockout that is specific to remote address or address block might be useful. Add in some checks for stuff like AOL (different IP each connect and a pile of users) and dialup blocks (lockout a class C network for that login to frustrate redial attempts) and keep stats on where a user comes from (repeated attempts from a commonly used net block may be treated more leniently and trigger an email to the user's registered address, whereas an unusual address generates a longer lockout and no email to the user).

    --
    "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  5. Re:Sleezy Yahoo Business Practices by Anonymous Coward · · Score: 4, Informative

    Your claims are pretty slanderous, and you don't have much to back them up.

    For one, it looks like Yahoo did not even implement their own system. If you look right below the word prompt, you can see they're basically using Captcha developed at Carnegie Mellon.

    Are you saying CMU stole for you as well?

    Is it possible that others came up with similar, if not better, systems, and they used them instead?

  6. Re:Terminology by Tony-A · · Score: 3, Informative

    Why on earth does this guy call "violating security" of web services "hacking?"
    Because it's so much easier than actually fixing anything.

  7. Re:The last quote interests me... by Reziac · · Score: 3, Informative

    My business relies on people finding my website, then emailing me directly. NONE of my prospective clients would try again if they got a "who are you?" message back that they then had to do something special to reply to so I would see their message.

    Yesterday I was on the wrong end of such a bot myself. I emailed the owner of some linux-related site, and got back an autoresponse that informed me I had to reply with a certain string in the subject to get past the spam killer. So I did -- and got an automated "rejection" message. Will I try again? No. If the guy is that friggin' paranoid, to hell with his product.

    --
    ~REZ~ #43301. Who'd fake being me anyway?