A friend of mine shared images with me some time ago from one of their trips. They trusted me enough to share images but not enough to show me a picture of themselves. However, they made a layman’s mistake when it came to sharing, and it becomes part of that long list of reasons why even non-programmers these days should learn a bit about what programming can do and how that seemingly safe site that they regularly visit could readily turn into a booby trap through no fault of their own. Let’s begin: Some hacking for the non-tech savvy.
Templates are rather easy to purchase these days. $19.95 (sounds like a TV ad) will get you a professional-looking, albeit generic-looking site that can be used to advertise malware disguised as freeware and freeware that has been modified to be malware. It’s also possible to make a website from a screenshot of a popular one. I don’t trust anything except when the URL is perfect with what I’m sure is the original source and it comes up as the top result on an internet search query, but while this may mean the download is safe, it doesn’t mean the site hasn’t been hacked.
If you read the news, you’ve probably heard about hacking, and maybe you wonder how come this stuff happens when all this tech has been invented to prevent that. I hate to break it to you, but the site you’re looking at is a fragile, living document, and it’s possible that – assuming there’s a bug – you could hack my website through the comments section.
Basic cracking of sites occurs through input forms and URL bars. That’s it. There are more complicated forms of cracking, but for now we’re interested in what the layman can see. Have you ever visited a website with a search bar and what you searched showed up in the website title? When not considering security, website creators using PHP (you don’t need to know about it – it’s a programming language for making websites) seem to have this tendency of pasting search text back into the return page RAW! What does that mean? Well it turns out that doing this allows you to remake their entire page (assuming they don’t have some limit that prevents how many characters you can type). With the right work, you can put anything in there that you want.
HTML – the language used to design websites – looks static by all appearances, and that’s what you get one the screen: Nothing seems to be moving, or if it does, it’s designed with some animations and gifs and such. The reality is, tons of stuff can go on in the background, and not just Google Analytics. The entire page you are viewing can be modified dynamically. In some ways, you already do this when you go to visit the site. You type in your username and password for login forms, but what you might not know is that such a form isn’t some self-enclosed capsule that magically sends data back to the “website” (server). Instead, it’s a form, and one that could possibly be modified to watch your keystrokes or send your info to a malicious website.
How? Again, suppose the website reproduces your search text in the title and that text also appears in the URL bar:
Title: dog fun
URL: http:\\www.somesite.com?search=dog\ fun
In the website source code, the actual output looks like so:
Without entering any data into the search field, I could get the title to change just by changing the title bar:
URL: http:\\www.somesite.com?search=<b>bold\ text</b>
New title: bold text
In the website source code, the HTML would look like so:
If there are no limits on the types characters we can enter, we can enter any HTML tags we want, and thus could “escape” the title and add our own script:
The new HTML:
You may wonder, How could this be used maliciously against a layman like me? After all, if it only affects the web page that I view, someone else doing it won’t hurt me, right?
In short, don’t trust short-links. ANY short links. They are convenient, but unless you know for certain that a friend of yours sent it (and not merely that it came from a friend’s email address, since that could be hacked), don’t click short links.
Back to the Photos
Ok, so what about those photos I talked about? Can you really steal photos? It’s not as difficult as it might seem. Anything that isn’t locked down on the server and protected securely by the mechanisms of the website is publicly available.
A number of people and non-profit organizations tend to organize their websites in such a way as to make everything nicely put into categorical folders that take only some guess-work to figure out if they exist. I’ve accessed indexes of public directories with no web interface while poking away at the URL bar in search of some root page where I could get to everything else, since some sites provide a pretty web page that lists everything. When there is no pretty UI, you get a white list of files, folders, and pretty much anything else that sits in that folder on the server.
I notice that people have a tendency to not rename their files when they pull them off a camera. This is out of pure laziness. You could name those files almost ANYTHING BUT their original names and it would be safer.
Digital cameras name all their photos in numeric order rather than by date. There are a number of reasons for this that aren’t important for this discussion, but what it does mean is that those photos now all have predictable names.
Getting back to my friend, I noticed that their photos all used the standard DSC format, so I was able to poke around with the URL bar and see a number of other photos that they had not shown me, including images of people – likely including them. I’ve never met the person in real life, but I am concerned for their privacy as much as my own. It bothers me to think we’re so careless when we share information.
There are thousands of photos named DSC1000. Literally. Thousands. But the source is important. If you upload photos to Facebook, it changes names, but sharing that photo also implicitly links it back to Facepalm by virtue of its filename. Remember that next time you share photos.
I’ve illustrated this security issue with photos, no pun intended, but this applies to other things I’ve stumbled upon over the years.
One of the big take-aways from this is that there is a lot of power in the URL bar. If you follow the beaten path, it’s all supposed to work magically. The reality is, software is designed by humans, and we have a way of lousing up safety just getting it to work.
Second, don’t dismiss the hacks you read in the news as jarbled computer lingo, too complex for the layman. The “magic” can get alittle tricky, but the real key is the inspiration that you don’t need to confine yourself to expectation because the rules are less restrictive than that, and that is where hacking begins. Not that I want you to go cracking websites, but I do want you to know it doesn’t take an expert to steal your data. It takes an expert to make a safe website.
(In case you’re wondering about the safety of popular websites, I’ve read that there browser addons that can hack Amazon.com, so being a big name doesn’t make it safe.)