Genius' Web Annotations Undermined Web Security (theverge.com) 27
New reader BradyDale shares an article on the Verge: Until early May, when The Verge confidentially disclosed the results of my independent security tests, the "web annotator" service provided by the tech startup Genius had been routinely undermining a web browser security mechanism. The web annotator is a tool which essentially republishes web pages in order to let Genius users leave comments on specific passages. In the process of republishing, those annotated pages would be stripped of an optional security feature called the Content Security Policy, which was sometimes provided by the original version of the page. This meant that anyone who viewed a page with annotations enabled was potentially vulnerable to security exploits that would have been blocked by the original site. Though no specific victims have been identified, the potential scope of this bug was broad: it was applied to all Genius users, undermined any site with a Content Security Policy, and re-enabled all blocked JavaScript code. Vijith Assar dives deep into how Genius did this :The primary way Genius annotations are accessed on the web is by adding "genius.it" in front of any URL as a prefix. The genius.it server reads the original content behind the scenes, adds the annotations, and delivers the hybrid content. The Genius version of the page includes a few extra scripts and highlighted passages, but until recently it also eliminated the original page's Content Security Policy. The Content Security Policy is an optional set of instructions encoded in the header of the HTTP connection which tells browsers exactly which sites and servers should be considered safe -- any code which isn't from one of those sites can then be ignored.
Re: (Score:1)
1) It has "dives deep" as a verb
2) Not written by a computer security cracker (saltine variety)
3) Condescending explanation of a security feature the author only vaguely understands
This has front page slashdot written all over it.
Broader issue of bad proxies (CDNs) in general (Score:5, Interesting)
Genius may not have enough users to make this a major story. However, MOST users access major CDN networks, which have the same types of problems. So the issue effects everyone, Genius is just a small example.
One well-known CDN doesn't include the query string in its caching, so when the user requests google.com?q=its+ass the CDN will return the page cached for google.com?q=a+hole+in+the+ground . This CDN literally doesn't know its ass from a hole in the ground.
The lesson to be (re)learned, I think, is "don't write an http proxy without reading and following the http RFC on proxies". Most of the time when people write web proxies, they'd be better of configuring an existing proxy such as squid to do whatever they want to do. Squid will take care of doing the right thing for an http proxy, then add whatever function you want your proxy to do. If you absolutely must write your own http proxy, read and follow the RFC.
Easy fix: continue to ignore genius.it (Score:4, Funny)
Re: (Score:3)
Isn't this necessary for the way their site works? (Score:5, Interesting)
Which is exactly what CSP is suppose to stop (not allowing third-party sites to run unauthorized cross-domain scripts).
So, isn't the site's concept itself an affront to Content Security Policies? Maybe sites that require strict CSP should just block redirects from Genius.it.
Sorry, can't help myself. (Score:1)
Title should be "Genius's Web Annotations." "Genius'" would only be correct if "genius" were a plural. Singular nouns that end in s get an "apostrophe s" after them to indicate the possessive. /pedant
Re: (Score:2)
"Genius'" would only be correct if "genius" were a plural.
Not so. "Genius" is the name of the company offering web annotations. When dealing with proper nouns, either approach is considered to be grammatically correct (e.g. "James' peach" or "James's peach"), so it's left as a matter for the style guides to decide. The most common form in newspapers and other print is to drop the "s", which shouldn't come as a surprise given that they tend to drop optional characters (e.g. Oxford/serial comma) in the interest of saving ink/space. Unlike the Oxford comma, however,
Re:Sorry, can't help myself. (Score:4, Funny)
bam! out pedanted!
Re: (Score:2)
I'm just waiting for (and welcome!) the inevitable correction to the grammar I used in that post. ;)
Re: (Score:2)
I just got done typing up a nice, long response with links, quotes, explanations, and details...and then I hit Refresh and lost it.
So, here are some of the links. I've provided a super quick summary of what you can take away from them.
Either is acceptable: http://www.grammarbook.com/pun... [grammarbook.com]
Either is acceptable: https://owl.english.purdue.edu... [purdue.edu]
The Associated Press and Chicago handle it differently: http://www.apvschicago.com/201... [apvschicago.com]
Strunk says keep the "s" unless dealing with ancient names: http://www.bartleb [bartleby.com]
Re: (Score:2)
Quite true. Even so, the implication of your post seems to be that only the form with the "s" is correct. In response, I'll point out [slashdot.org] that Strunk (of The Elements of Style fame), the Associated Press, the Chicago Manual of Style, The Guardian, and a number of other publications have no problem dropping the "s" under certain circumstances. The conditions under which they do so differ (e.g. all proper names, ancient proper names, sibilant words, adjacent sibilance, etc.), but that's exactly the point I was m
Re: (Score:2)
+1 ironic subject line
On the other hand, you did remind me of the biggest belly laugh I've ever had reading a grammar book.
From A Handbook of Good English by Edward D. Johnson.
So, yes, I guess I'm an easy mark and, yes, eye contact matters.
This is one of many fine books you might consider owning if you someday decide to do something
Next Gen Thought Leaders! (Score:2)
Obviously, this is some serious web 3.0 shit
Re: (Score:3)
Obviously, this is some serious web 3.0 shit
Oh yeah. From 2009. It was called Google SideWiki [wikipedia.org], and nobody cared then either. Lasted 2 years.
sounds like my PhD work from 10+ years ago (Score:3, Interesting)
In essence, the only way to do this without storing a copy of the original page (which has merit, but is challenging legally and in terms of disk space), is to store the annotations, pull in the page and then merge the annotations and send the output to the viewer. So it is basically acting as a proxy, but means that there are potential issues with orphaned annotations - the more dynamic nature of the web today would cause real problems in getting any kind of consistent output for two different people, or even for the same person at different times. I have to admit, I was looking at the educational side of things and so the security issues were less of a consideration, but things like the injection of malicious code, invisible amendments (e.g. censorship) to the underlying text, etc. were all pretty obvious.
Anyway, the technique itself was far from novel when I started working on my PhD, but given the continued citations to papers that I published back (https://scholar.google.co.uk/citations?user=KK_EFSUAAAAJ&hl=en [google.co.uk]) then it seems to still be an area of active research.
What is vulnerable? (Score:2)
Here's what won't happen: you won't give your login credentials to a third party. That's because your browser won't read any cookies from the original site, and Genius prevents you from typing into web forms.
The author uses technical language without talking about what people do, how people interact, and what people care about. Instead, there's much ado about a variable calle
Bullshit news (Score:2)
so they strip tags, which would prevent their copy from loading content like images from the original server? So what? That's needed for operation. And i guess nobody would actually annotate their online banking or webmail pages.