Today's Bad Idea: MyMoney

Warning: This post makes heavy use of a cutting-edge rhetorical device known as "sarcasm." If your brain has a defective superior frontal gyrus, please consult your doctor before continuing.

I'm a heavy Facebook user, and most of my friends are too. I love it! Facebook is like an online portal to my social life. It also has a convenient platform for including third-party applications, so I can not only communcate with my friends: I can also play online poker, have (simulated) gang wars, and send fun quizzes to them. Awesome!

The only thing I was really missing was the ability to manage my finances from my facebook page. It drives me insane to have to fire up a separate web browser, navigate to my bank's website, type in a username and a password and punch in those frustrating digits from my hardware token. That's just too much work. If I had my way, I'd have a running counter of my net worth on my Facebook wall, like a villain from a James Bond movie. Bummer!

Imagine how excited I was to receive an email from Etienne Janot, letting me know that the future is here: Fiserv has a product called MyMoney. MyMoney is an application that "enables Facebook users to search for and join a financial institution and manage their funds via the familiar Facebook interface." Sweet!

The video on Fiserv's website really sells it to me: it helps bring the boring world of banking to us fast-paced Gen Y users. Not only that, but (quoting from their website, because I really couldn't make this up) "MyMoney also leverages Facebook's viral marketing opportunities. When Facebook users add MyMoney to their profile, their friends are notified and given the opportunity to add it too, enabling financial institutions to extend their reach, particularly within the Gen Y market." I've always wanted to know who my friends bank with, and now, thanks to MyMoney, I can! Woot!

I know you're thinking this is a bad idea, and are concerned about MyMoney's security. Don't worry, I checked it out. They have "multiple layers of security protecting...data and accounts." The application iframes you into their site (hosted on https://mm.galaxyplus.com). If you forget the URL, they left zone transfers enabled for you, so you can just select from a list of galaxyplus.com subdomains. The iframe's URL has a parameter called "fb_sig_user." If you manipulate this parameter, you get to see the contents of all your friends' accounts (presumably so you can borrow money without all that awkward asking). The only thing I don't like about this application is that they left error reporting on. I don't like seeing those ugly ASP stack traces every time I use an HTML tag as a form parameter. Lol!

All in all, I'd say this whole MyMoney thing is a pretty damn good idea. I'm glad somebody did it.

TweetMyPC: What I've learned From Your Screenshots

I've been watching the Twitter traffic pertaining to TweetMyPC. So far, I've amassed a decent collection of users' screenshots, all of which reveal private data.

First off, I have already confirmed my previous statement:

Your Twitter feed is public. Even if you make it private, recent incidents with Twitter should be enough to make you consider it public.

When TweetMyPC posts a screenshot, it uses Twitpic to do so. Though the TweetMyPC documentation encourages users to make the "command" Twitter accounts private, it makes no mention of TwitPic, which is a completely different service, and does not reflect Twitter's privacy settings. This being the case, locating command Twitter accounts (even the private ones) is a simple matter of searching through Twitpic's archives for the string "TweetMyPC -> Screenshot".

While Twitpic doesn't have a search feature (they've been promising one for some time), they do have a public feed, and there are third party (fourth party, I suppose) sites that allow you to do just that.

The next thing I learned is also a TwitPic issue (a bug, perhaps). You won't see this one on the Month of Twitter Bugs, but it turns out that deleted photos on TwitPic aren't actually deleted. An example: TwitPic claims that the image with the ID 9s4gx no longer exists. However, if you go directly to the full-sized image, you'll see that you can download the image- a screenshot of that user's Windows registry.

It's worth noting that this user has indeed protected his updates on Twitter... not that it did a lot of good.

Now let's get to the screenshots themselves.

Even the tiniest bit of information can be extremely useful to an attacker. It all depends on his motivation, his expertise, and how much free time he has. As none of this is predictable, I recommend that you use extreme caution in posting screenshots online.

This screenshot displays the contents of the user's Gmail account, his Gmail address, and the IP address that he is logged into Gmail from. From his bookmarks toolbar, we can guess what websites he visits regularly, and from the browser's status bar, we know that he is using Greasemonkey. From the Windows XP taskbar, we can see what software he is currently running, including antivirus and instant messaging. We know that he's not using NoScript, and that he appears to be a relatively savvy computer user.

I think we've got enough info to own this computer. Let's move on.

This guy is clearly logged into his investment management portal. Combining the info in this screenshot with some of the other information revealed in that user's Twitter account, and noting that there's an XSS hole on the investment site, I'm betting I could XSS him out of his stock portfolio.

Want more? You just have to look.

Desktop shortcuts, NoScript settings, browser history, Yahoo mailboxes, network and firewall settings, not to mention everyday activity, from piracy to IM conversations to grocery lists, are all freely available.

Today's Bad Idea: TweetMyPC

Some people just don't think.

TweetMyPC is an application you can install on your PC. It will read your Twitter feed and execute commands based on your tweets. How did somebody get all the way through writing this app without considering what a supremely poor idea it is? A few problems:

Your Twitter feed is public. Even if you make it private, recent incidents with Twitter should be enough to make you consider it public.

Do you really want the whole world to be able to view all your screenshots?

The entire security model of this app (if it could be considered such) relies on the idea that only you can post things to your Twitter account. Aviv Raff and his month of Twitter bugs are proving this wrong every day.

What is wrong with people? I know I'm a security guy, but seriously, think before you install remote access software for your PC. From the looks of the chatter, a lot of people are using this app already.

Remote desktop works fine, and there's no reason to use Twitter as your carrier. Twitter is not a network protocol. It's not even a great social networking app.

Edit: I'm collecting screenshots of personal information or other sensitive data here. I'll probably write a bot to do this for me soon enough