How I Can Steal Your Pics – a.k.a. Some hacking for the non-tech-savvy

A friend of mine shared images with me some time ago from one of their trips. They trusted me enough to share images but not enough to show me a picture of themselves. However, they made a layman’s mistake when it came to sharing, and it becomes part of that long list of reasons why even non-programmers these days should learn a bit about what programming can do and how that seemingly safe site that they regularly visit could readily turn into a booby trap through no fault of their own. Let’s begin: Some hacking for the non-tech savvy.

Templates are rather easy to purchase these days. $19.95 (sounds like a TV ad) will get you a professional-looking, albeit generic-looking site that can be used to advertise malware disguised as freeware and freeware that has been modified to be malware. It’s also possible to make a website from a screenshot of a popular one. I don’t trust anything except when the URL is perfect with what I’m sure is the original source and it comes up as the top result on an internet search query, but while this may mean the download is safe, it doesn’t mean the site hasn’t been hacked.

If you read the news, you’ve probably heard about hacking, and maybe you wonder how come this stuff happens when all this tech has been invented to prevent that. I hate to break it to you, but the site you’re looking at is a fragile, living document, and it’s possible that – assuming there’s a bug – you could hack my website through the comments section.

Basic cracking of sites occurs through input forms and URL bars. That’s it. There are more complicated forms of cracking, but for now we’re interested in what the layman can see. Have you ever visited a website with a search bar and what you searched showed up in the website title? When not considering security, website creators using PHP (you don’t need to know about it – it’s a programming language for making websites) seem to have this tendency of pasting search text back into the return page RAW! What does that mean? Well it turns out that doing this allows you to remake their entire page (assuming they don’t have some limit that prevents how many characters you can type). With the right work, you can put anything in there that you want.

HTML – the language used to design websites – looks static by all appearances, and that’s what you get one the screen: Nothing seems to be moving, or if it does, it’s designed with some animations and gifs and such. The reality is, tons of stuff can go on in the background, and not just Google Analytics. The entire page you are viewing can be modified dynamically. In some ways, you already do this when you go to visit the site. You type in your username and password for login forms, but what you might not know is that such a form isn’t some self-enclosed capsule that magically sends data back to the “website” (server). Instead, it’s a form, and one that could possibly be modified to watch your keystrokes or send your info to a malicious website.

How? Again, suppose the website reproduces your search text in the title and that text also appears in the URL bar:

Title: dog fun

URL: http:\\www.somesite.com?search=dog\ fun

In the website source code, the actual output looks like so:

<title>dog fun</title>

Without entering any data into the search field, I could get the title to change just by changing the title bar:

URL: http:\\www.somesite.com?search=<b>bold\ text</b>

New title: bold text

In the website source code, the HTML would look like so:

<title><b>bold text</b></title>

If there are no limits on the types characters we can enter, we can enter any HTML tags we want, and thus could “escape” the title and add our own script:

http:\\www.somesite.com?search=</title>alert(9);<title>

(“alert” is a JavaScript function that creates a pop-up.)

The new HTML:

<title></title>alert(9);<title></title>

You may wonder, How could this be used maliciously against a layman like me? After all, if it only affects the web page that I view, someone else doing it won’t hurt me, right?

Alittle social engineering is part of mastering the craft. We could send the crafted URL inside a text link to other people via email, but if they are clever, they might check the URL source. The alternative is sending them a short link, which disguises the entire URL and prevents them from knowing what’s on the other side. Smart people don’t trust short links, so we should also get one with a preview, as TinyURL allows, and we may need to obfuscate our crafted URL with some slightly more complex Javascript so it won’t be glaringly obvious what it does.

In short, don’t trust short-links. ANY short links. They are convenient, but unless you know for certain that a friend of yours sent it (and not merely that it came from a friend’s email address, since that could be hacked), don’t click short links.

Back to the Photos

Ok, so what about those photos I talked about? Can you really steal photos? It’s not as difficult as it might seem. Anything that isn’t locked down on the server and protected securely by the mechanisms of the website is publicly available.

A number of people and non-profit organizations tend to organize their websites in such a way as to make everything nicely put into categorical folders that take only some guess-work to figure out if they exist. I’ve accessed indexes of public directories with no web interface while poking away at the URL bar in search of some root page where I could get to everything else, since some sites provide a pretty web page that lists everything. When there is no pretty UI, you get a white list of files, folders, and pretty much anything else that sits in that folder on the server.

I notice that people have a tendency to not rename their files when they pull them off a camera. This is out of pure laziness. You could name those files almost ANYTHING BUT their original names and it would be safer.

Digital cameras name all their photos in numeric order rather than by date. There are a number of reasons for this that aren’t important for this discussion, but what it does mean is that those photos now all have predictable names.

Getting back to my friend, I noticed that their photos all used the standard DSC format, so I was able to poke around with the URL bar and see a number of other photos that they had not shown me, including images of people – likely including them. I’ve never met the person in real life, but I am concerned for their privacy as much as my own. It bothers me to think we’re so careless when we share information.

There are thousands of photos named DSC1000. Literally. Thousands. But the source is important. If you upload photos to Facebook, it changes names, but sharing that photo also implicitly links it back to Facepalm by virtue of its filename. Remember that next time you share photos.

I’ve illustrated this security issue with photos, no pun intended, but this applies to other things I’ve stumbled upon over the years.

Conclusion

One of the big take-aways from this is that there is a lot of power in the URL bar. If you follow the beaten path, it’s all supposed to work magically. The reality is, software is designed by humans, and we have a way of lousing up safety just getting it to work.

Second, don’t dismiss the hacks you read in the news as jarbled computer lingo, too complex for the layman. The “magic” can get alittle tricky, but the real key is the inspiration that you don’t need to confine yourself to expectation because the rules are less restrictive than that, and that is where hacking begins. Not that I want you to go cracking websites, but I do want you to know it doesn’t take an expert to steal your data. It takes an expert to make a safe website.

(In case you’re wondering about the safety of popular websites, I’ve read that there browser addons that can hack Amazon.com, so being a big name doesn’t make it safe.)

Advertisements

About chronologicaldot

Just a Christ-centered, train-loving, computer geek.
This entry was posted in tech news and opinions, web design and tagged , , , , , . Bookmark the permalink.

2 Responses to How I Can Steal Your Pics – a.k.a. Some hacking for the non-tech-savvy

  1. codeinfig says:

    as you say, one of the reasons that people should learn to code is so that the realize there are very basic mechanisms behind this stuff, rather than magic.

    despite the fact that ive tried to make my langage extremely easy to teach (removing anything that i consider superficial or unnecessary) it still exists to teach basic (read: vital) concepts behind code, rather than abstracting everything into magic. in other words, it wasnt designed to make people think “oh wow, computers are amazing!” thats fine– getting people interested is good, but it was actually designed so that people would be able to say “hey, i kind of understand how this stuff works.” im not sure if this helps or not:

    i really take issue with throwing “mechanical” under the bus, like everything has to be somehow “organic” to be appreciated by a child, or a girl. im pretty sure this is a better approach: https://www.youtube.com/watch?v=AQJU6ehn6-s

    im not anti-drag-and-drop. its an ok introduction, and i have never believed that old chestnut that if you start with the wrong tool, it will forever taint the learning of the person that learns to use it. the thing about code (actual code) though, is that you can change (or manipulate) one line of text and that can change so many things. you can actually learn that (by performing it) in drag-and-drop code, but if you actually type code, youll learn it faster and more naturally– you will realize sooner that urls are an abstraction that can be tinkered with, not just an instruction or label. it will be more obvious, because its in everything you do.

    • Agreed. I was interested in GUI-based coding for awhile, such as NI’s LabView, but it’s actually rather tedious to do some very basic things. I think it would help if people didn’t call it “coding” but rather “limited program creation”, not to be confused with “creating a software program”. Calling it “coding” makes it sound hip but it’s such a horrible misnomer that people get the idea they are doing the “real thing” – that is, creating a program like any other. “Real programming languages” (as they are sometimes called) put the control of the machine in your hands, not the other way around. JS is sort of half-and-half, but it can be used even within its own box to allow other things to break into the rest of the computer. Adding to this article, I suppose I could talk about how to do just that. In one such exploit, users of a specific thumbnail updater (on linux or Windows? I forget) could be exploited by using Chrome and simply passing by the search result of a malicious site. Chrome auto-downloads image thumbnails for certain things (such as on the Google search page), so a malicious site could post an image that, after Chrome auto-downloads it, is then examined by the thumbnail updater, which is then consequently hacked. I forget where I read about the exploit, but it does go to show how browsers do a number of silent things (esp. for the sake of convenience and “speed”) that hackers can exploit.

Enter the space and time of my little world... Welcome Earthling.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s