Slashdot Mirror

← Back to Stories (view on slashdot.org)

Genius' Web Annotations Undermined Web Security (theverge.com)

Posted by msmash on from the fascinating dept.

New reader BradyDale shares an article on the Verge: Until early May, when The Verge confidentially disclosed the results of my independent security tests, the "web annotator" service provided by the tech startup Genius had been routinely undermining a web browser security mechanism. The web annotator is a tool which essentially republishes web pages in order to let Genius users leave comments on specific passages. In the process of republishing, those annotated pages would be stripped of an optional security feature called the Content Security Policy, which was sometimes provided by the original version of the page. This meant that anyone who viewed a page with annotations enabled was potentially vulnerable to security exploits that would have been blocked by the original site. Though no specific victims have been identified, the potential scope of this bug was broad: it was applied to all Genius users, undermined any site with a Content Security Policy, and re-enabled all blocked JavaScript code. Vijith Assar dives deep into how Genius did this :The primary way Genius annotations are accessed on the web is by adding "genius.it" in front of any URL as a prefix. The genius.it server reads the original content behind the scenes, adds the annotations, and delivers the hybrid content. The Genius version of the page includes a few extra scripts and highlighted passages, but until recently it also eliminated the original page's Content Security Policy. The Content Security Policy is an optional set of instructions encoded in the header of the HTTP connection which tells browsers exactly which sites and servers should be considered safe -- any code which isn't from one of those sites can then be ignored.

27 comments

  1. Who cares? by Anonymous Coward · · Score: 0

    How does this affect anyone? I don't use Genius. I don't know anyone who uses Genius. I'm sorry that three people had their web security undermined but how is this a story? I'm sure I'll get censored to -1 for asking this, but it needs an answer. Don't pretend this doesn't exist by modding it down. Give a legitimate answer. But I doubt anyone will do so.

    1. Re:Who cares? by Anonymous Coward · · Score: 1

      1) It has "dives deep" as a verb
      2) Not written by a computer security cracker (saltine variety)
      3) Condescending explanation of a security feature the author only vaguely understands

      This has front page slashdot written all over it.

  2. Easy fix: continue to ignore genius.it by xxxJonBoyxxx · · Score: 3, Funny

    Easy fix: continue to ignore genius.it. Or just put "sh" in front of the "it" to get a better result.

    1. Re:Easy fix: continue to ignore genius.it by __aaclcg7560 · · Score: 2

      Replace Genius with a shell script (# /bin/sh)? That's very brilliant. NOT!

  3. Isn't this necessary for the way their site works? by MatthiasF · · Score: 5, Interesting

    They are not keeping a copy of the webpage on their servers, merely playing man-in-the-middle by creating the link to the page, opening it in the user's browser and applying their own data (highlighting) into the HTML using their own scripts.

    Which is exactly what CSP is suppose to stop (not allowing third-party sites to run unauthorized cross-domain scripts).

    So, isn't the site's concept itself an affront to Content Security Policies? Maybe sites that require strict CSP should just block redirects from Genius.it.

  4. Time travel? by Anonymous Coward · · Score: 0

    This article is from 20 years after 2012 ...

    1. Re:Time travel? by Anonymous Coward · · Score: 0

      Sometimes called 2032.

    2. Re:Time travel? by Anonymous Coward · · Score: 0

      Well done, sir. Well done.

      https://en.wikipedia.org/wiki/Content_Security_Policy
      "The standard, originally named Content Restrictions, was proposed by Robert Hansen in 2004, first implemented in Firefox 4 and quickly picked up by other browsers. Version 1 of the standard was published in 2012 as W3C candidate recommendation and quickly with further versions (Level 2) published in 2014. As of 2015 draft of Level 3 is being developed with the new features being quickly adopted by the web browsers."

  5. First sign you're not a genius by Anonymous Coward · · Score: 0

    You sign up for services that appeal to "Geniuses".

  6. Broader issue of bad proxies (CDNs) in general by raymorris · · Score: 5, Interesting

    Genius may not have enough users to make this a major story. However, MOST users access major CDN networks, which have the same types of problems. So the issue effects everyone, Genius is just a small example.

    One well-known CDN doesn't include the query string in its caching, so when the user requests google.com?q=its+ass the CDN will return the page cached for google.com?q=a+hole+in+the+ground . This CDN literally doesn't know its ass from a hole in the ground.

    The lesson to be (re)learned, I think, is "don't write an http proxy without reading and following the http RFC on proxies". Most of the time when people write web proxies, they'd be better of configuring an existing proxy such as squid to do whatever they want to do. Squid will take care of doing the right thing for an http proxy, then add whatever function you want your proxy to do. If you absolutely must write your own http proxy, read and follow the RFC.

  7. Sorry, can't help myself. by jratcliffe · · Score: 0

    Title should be "Genius's Web Annotations." "Genius'" would only be correct if "genius" were a plural. Singular nouns that end in s get an "apostrophe s" after them to indicate the possessive. /pedant

    1. Re:Sorry, can't help myself. by Anubis+IV · · Score: 1

      "Genius'" would only be correct if "genius" were a plural.

      Not so. "Genius" is the name of the company offering web annotations. When dealing with proper nouns, either approach is considered to be grammatically correct (e.g. "James' peach" or "James's peach"), so it's left as a matter for the style guides to decide. The most common form in newspapers and other print is to drop the "s", which shouldn't come as a surprise given that they tend to drop optional characters (e.g. Oxford/serial comma) in the interest of saving ink/space. Unlike the Oxford comma, however, nothing is gained by the inclusion of the "s", so I see little point in its use.

    2. Re:Sorry, can't help myself. by The-Ixian · · Score: 3, Funny

      bam! out pedanted!

      --
      My eyes reflect the stars and a smile lights up my face.
    3. Re:Sorry, can't help myself. by Anubis+IV · · Score: 1

      I'm just waiting for (and welcome!) the inevitable correction to the grammar I used in that post. ;)

    4. Re:Sorry, can't help myself. by Anonymous Coward · · Score: 0

      citation? I've learned that the final s is required for singular proper noun possessives.

    5. Re: Sorry, can't help myself. by Anonymous Coward · · Score: 0

      Lots of things are "considered" correct by someone, but that doesn't mean they are.

    6. Re:Sorry, can't help myself. by Anubis+IV · · Score: 1

      I just got done typing up a nice, long response with links, quotes, explanations, and details...and then I hit Refresh and lost it.

      So, here are some of the links. I've provided a super quick summary of what you can take away from them.

      Either is acceptable: http://www.grammarbook.com/pun...
      Either is acceptable: https://owl.english.purdue.edu...
      The Associated Press and Chicago handle it differently: http://www.apvschicago.com/201...
      Strunk says keep the "s" unless dealing with ancient names: http://www.bartleby.com/141/st...
      Others care more about sibilance: https://en.wikipedia.org/wiki/...

      You'll find plenty of adherents to each of those approaches. Which is to say, it's a matter of style, not correctness, with various groups recommending various styles. Your way is a safe way to go, and there's nothing wrong with it. Others prefer to ditch characters that are viewed as unnecessary or that can create awkward phrasings.

    7. Re: Sorry, can't help myself. by Anubis+IV · · Score: 1

      Quite true. Even so, the implication of your post seems to be that only the form with the "s" is correct. In response, I'll point out that Strunk (of The Elements of Style fame), the Associated Press, the Chicago Manual of Style, The Guardian, and a number of other publications have no problem dropping the "s" under certain circumstances. The conditions under which they do so differ (e.g. all proper names, ancient proper names, sibilant words, adjacent sibilance, etc.), but that's exactly the point I was making: it's a matter of style, not grammar. That's why almost every style guide addresses the topic at some point.

    8. Re:Sorry, can't help myself. by epine · · Score: 1

      +1 ironic subject line

      On the other hand, you did remind me of the biggest belly laugh I've ever had reading a grammar book.

      From A Handbook of Good English by Edward D. Johnson.

      Mary's and John's behavior at the office party was disgraceful is correct if the two misbehaved separately; Mary and John's behaviour is correct if they misbehaved together.

      So, yes, I guess I'm an easy mark and, yes, eye contact matters.

      This is one of many fine books you might consider owning if you someday decide to do something about that abject subject line. Section 2-29, pp. 173–180 in my edition. Guaranteed to cure off-the-cuff pedantry in record time.

  8. scam alert by Anonymous Coward · · Score: 0

    infojobs.com.br claim hiring high profile users, but it's bunch of trolls trying to sell premium accounts, using reverse psychology to fright the users. whose country would hire special operators, like NSA shit stuff, through a PHP website??????????

  9. Welcome back to 1998 by Anonymous Coward · · Score: 0

    There was a company who did the same in 1998-ish.. can’t remember the name.. Went belly up with the rest of the shitty tech-bubble companies..

  10. Next Gen Thought Leaders! by IMightB · · Score: 1

    Obviously, this is some serious web 3.0 shit

    1. Re:Next Gen Thought Leaders! by Areyoukiddingme · · Score: 2

      Obviously, this is some serious web 3.0 shit

      Oh yeah. From 2009. It was called Google SideWiki, and nobody cared then either. Lasted 2 years.

  11. Sounds more like security theatre by Anonymous Coward · · Score: 0

    This sounds more like security theatre if I understand this right. The browser shouldn't trust any site period. Accessing site X shouldn't any more or less dangerous than accessing site Y. If either X or Y can do something malicious to your computer then the problem is with your computer. Not the site. Unless we're talking about something like a user visiting site Y through site Z and Z passes data to site Y insecurely. The problem there though seems as though it is with the end-user. If site Z is controlled by site Y though then I can see the issue. If your using some third party site (Z) to access site Y (like via a proxy) then the issue is with the third party site or your use of that product thereof.

  12. sounds like my PhD work from 10+ years ago by IRGlover · · Score: 3, Interesting

    I wrote a PhD on this technique as a way to support collaborative learning by allowing third-party annotation sharing: http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.431525

    In essence, the only way to do this without storing a copy of the original page (which has merit, but is challenging legally and in terms of disk space), is to store the annotations, pull in the page and then merge the annotations and send the output to the viewer. So it is basically acting as a proxy, but means that there are potential issues with orphaned annotations - the more dynamic nature of the web today would cause real problems in getting any kind of consistent output for two different people, or even for the same person at different times. I have to admit, I was looking at the educational side of things and so the security issues were less of a consideration, but things like the injection of malicious code, invisible amendments (e.g. censorship) to the underlying text, etc. were all pretty obvious.

    Anyway, the technique itself was far from novel when I started working on my PhD, but given the continued citations to papers that I published back (https://scholar.google.co.uk/citations?user=KK_EFSUAAAAJ&hl=en) then it seems to still be an area of active research.

  13. What is vulnerable? by noda132 · · Score: 1

    A "vulnerability" implies that there is a problem that makes somebody vulnerable to something. Who is vulnerable to what in this case?

    Here's what won't happen: you won't give your login credentials to a third party. That's because your browser won't read any cookies from the original site, and Genius prevents you from typing into web forms.

    The author uses technical language without talking about what people do, how people interact, and what people care about. Instead, there's much ado about a variable called "clickjacker" -- eliding the fact that www.theverge.com installs a slew of clickjackers of its own. Is Genius evil because of a variable name?

    Let's find out how Genius' CSP changes can affect human beings, THEN write 3,000 words about it.

  14. Bullshit news by allo · · Score: 1

    so they strip tags, which would prevent their copy from loading content like images from the original server? So what? That's needed for operation. And i guess nobody would actually annotate their online banking or webmail pages.