Watch Out For Suspicius Links
As part of our recent research on CSRF attacks, Russ McRee found a vulnerability in the Linksys WRT160N router. Sadly, this wasn't a huge shock to us, but what was surprising was the response from Linksys:
As ridiculous as the entire response is, I'd like to focus on the "Don't click suspicious links" bit. Most users will click on any link you throw at them, particularly from link-heavy social sites such as Twitter. In fact, if you clicked through to this page from my Twitter post, the page you're currently on should be at "http://skeptikal.org/a_very_suspicious_link."
Why did you click it?
Because you trust me. And you trust Twitter. And you trust my hosting company. And your DNS servers. And my DNS servers. And TinyURL.
I could rant on this topic for a while, but I know I'd be preaching to the choir. Don't trust any links, anywhere. Especially don't trust the ones from TinyURL, bit.ly, or any other URL shortening service. You have no way of knowing whether a site is malicious or not until you load it into your browser. Even then, it's doubtful that you'd ever notice. You're probably not a normal user, but most people wouldn't ever recognize real malware for what it is, especially if it's properly obfuscated.
In theory, a goal of never clicking a malicious link is impossible to achieve. In practice though, many malicious links are fairly easy to recognize if you just look at the URL. This is why sites like TinyURL allow you to preview links before being redirected to them. Earlier today, @OWASP_podcast sent out the following tweet:
It's a good idea, but this is clearly a URL that modifies user preferences based on GET variables, and I couldn't help noticing that the same preference could be disabled with a bit of CSRF:
I'd call this a failure on TinyURL's part, but even if you did preview the URL, there's no guarantee the seemingly innocent link won't have malicious content, redirects, cross-site scripting, HTML injection holes, poorly configured DNS, poorly coded flash files, content ownership problems, compromised FTP accounts or other issues.
Just keep that in mind- previewing a link is a convenience, not a security feature.
We can’t reasonably prevent CSRF's without bogging down our code. The compromise we had made here is to have a timeout on the web interface, so users are logged out after 10 mins of inactivity. We have also advised users to not click on suspicious links while logged in to the web interface, or close the web interface as soon as they are finished configuring the router
As ridiculous as the entire response is, I'd like to focus on the "Don't click suspicious links" bit. Most users will click on any link you throw at them, particularly from link-heavy social sites such as Twitter. In fact, if you clicked through to this page from my Twitter post, the page you're currently on should be at "http://skeptikal.org/a_very_suspicious_link."
Why did you click it?
Because you trust me. And you trust Twitter. And you trust my hosting company. And your DNS servers. And my DNS servers. And TinyURL.
I could rant on this topic for a while, but I know I'd be preaching to the choir. Don't trust any links, anywhere. Especially don't trust the ones from TinyURL, bit.ly, or any other URL shortening service. You have no way of knowing whether a site is malicious or not until you load it into your browser. Even then, it's doubtful that you'd ever notice. You're probably not a normal user, but most people wouldn't ever recognize real malware for what it is, especially if it's properly obfuscated.
In theory, a goal of never clicking a malicious link is impossible to achieve. In practice though, many malicious links are fairly easy to recognize if you just look at the URL. This is why sites like TinyURL allow you to preview links before being redirected to them. Earlier today, @OWASP_podcast sent out the following tweet:
http://tinyurl.com/preview.php?enable=1 will force all TinyURLs to appear in preview mode on your machine.
It's a good idea, but this is clearly a URL that modifies user preferences based on GET variables, and I couldn't help noticing that the same preference could be disabled with a bit of CSRF:
<img src="http://tinyurl.com/preview.php?disable=1">I'd call this a failure on TinyURL's part, but even if you did preview the URL, there's no guarantee the seemingly innocent link won't have malicious content, redirects, cross-site scripting, HTML injection holes, poorly configured DNS, poorly coded flash files, content ownership problems, compromised FTP accounts or other issues.
Just keep that in mind- previewing a link is a convenience, not a security feature.
Labels: CSRF, URL Shortening
posted by mckt at
11:45 AM
16 Comments:
@mckt good catch, fixed
By
Julien Sobrier, At
November 30, 2009 2:06 PM
Thou shall not take the name of http://www.twitter.com/OWASP_podcast in vain?
By
Jim Manico, At
November 30, 2009 2:06 PM
Just wanted to say I love your blog. You don't hold back any punches when you point out that TinyURL's preview feature can be disabled with CSRF or that Safe.mn is vulnerable to XSS.
Please keep this sort of stuff coming, I think it is the only way to make progress and raise awareness of the current state of security.
By
nickhacks, At
November 30, 2009 2:06 PM
News Flash: Cross Site Scripting (XSS) is no longer an issue, Just dont click on suspicious links.
By
Declare.James, At
November 30, 2009 2:06 PM
Good point. I read a lot of security blogs and never hesitate to click the link. URL shortening service... different story, those I try to stay away from. Nice article which hits the target well.
By
cconniejean, At
November 30, 2009 2:06 PM
wait.. what? XSS in what exactly is no longer an issue? Did you genie come 'round and *POOF* all web apps were protected against XSS? hrm?
By
Rob Fuller (mubix), At
November 30, 2009 2:06 PM
Or use a secured URL shortener such as Safe.mn (http://safe.mn/) that tests each link extensively for security risks.
By
Julien Sobrier, At
November 30, 2009 2:06 PM
You mean this one? http://safe.mn/?url=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E
By
mckt, At
November 30, 2009 2:06 PM
Post a Comment
<< Home