Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Internet

Genius' Web Annotations Undermined Web Security (theverge.com) 27

New reader BradyDale shares an article on the Verge: Until early May, when The Verge confidentially disclosed the results of my independent security tests, the "web annotator" service provided by the tech startup Genius had been routinely undermining a web browser security mechanism. The web annotator is a tool which essentially republishes web pages in order to let Genius users leave comments on specific passages. In the process of republishing, those annotated pages would be stripped of an optional security feature called the Content Security Policy, which was sometimes provided by the original version of the page. This meant that anyone who viewed a page with annotations enabled was potentially vulnerable to security exploits that would have been blocked by the original site. Though no specific victims have been identified, the potential scope of this bug was broad: it was applied to all Genius users, undermined any site with a Content Security Policy, and re-enabled all blocked JavaScript code. Vijith Assar dives deep into how Genius did this :The primary way Genius annotations are accessed on the web is by adding "genius.it" in front of any URL as a prefix. The genius.it server reads the original content behind the scenes, adds the annotations, and delivers the hybrid content. The Genius version of the page includes a few extra scripts and highlighted passages, but until recently it also eliminated the original page's Content Security Policy. The Content Security Policy is an optional set of instructions encoded in the header of the HTTP connection which tells browsers exactly which sites and servers should be considered safe -- any code which isn't from one of those sites can then be ignored.
This discussion has been archived. No new comments can be posted.

Genius' Web Annotations Undermined Web Security

Comments Filter:
  • by xxxJonBoyxxx ( 565205 ) on Wednesday May 25, 2016 @12:57PM (#52180213)
    Easy fix: continue to ignore genius.it. Or just put "sh" in front of the "it" to get a better result.
  • by MatthiasF ( 1853064 ) on Wednesday May 25, 2016 @01:05PM (#52180291)
    They are not keeping a copy of the webpage on their servers, merely playing man-in-the-middle by creating the link to the page, opening it in the user's browser and applying their own data (highlighting) into the HTML using their own scripts.

    Which is exactly what CSP is suppose to stop (not allowing third-party sites to run unauthorized cross-domain scripts).

    So, isn't the site's concept itself an affront to Content Security Policies? Maybe sites that require strict CSP should just block redirects from Genius.it.
  • Title should be "Genius's Web Annotations." "Genius'" would only be correct if "genius" were a plural. Singular nouns that end in s get an "apostrophe s" after them to indicate the possessive. /pedant

    • "Genius'" would only be correct if "genius" were a plural.

      Not so. "Genius" is the name of the company offering web annotations. When dealing with proper nouns, either approach is considered to be grammatically correct (e.g. "James' peach" or "James's peach"), so it's left as a matter for the style guides to decide. The most common form in newspapers and other print is to drop the "s", which shouldn't come as a surprise given that they tend to drop optional characters (e.g. Oxford/serial comma) in the interest of saving ink/space. Unlike the Oxford comma, however,

    • by epine ( 68316 )

      +1 ironic subject line

      On the other hand, you did remind me of the biggest belly laugh I've ever had reading a grammar book.

      From A Handbook of Good English by Edward D. Johnson.

      Mary's and John's behavior at the office party was disgraceful is correct if the two misbehaved separately; Mary and John's behaviour is correct if they misbehaved together.

      So, yes, I guess I'm an easy mark and, yes, eye contact matters.

      This is one of many fine books you might consider owning if you someday decide to do something

  • Obviously, this is some serious web 3.0 shit

  • by IRGlover ( 1096317 ) on Wednesday May 25, 2016 @05:23PM (#52182883)
    I wrote a PhD on this technique as a way to support collaborative learning by allowing third-party annotation sharing: http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.431525 [ethos.bl.uk]

    In essence, the only way to do this without storing a copy of the original page (which has merit, but is challenging legally and in terms of disk space), is to store the annotations, pull in the page and then merge the annotations and send the output to the viewer. So it is basically acting as a proxy, but means that there are potential issues with orphaned annotations - the more dynamic nature of the web today would cause real problems in getting any kind of consistent output for two different people, or even for the same person at different times. I have to admit, I was looking at the educational side of things and so the security issues were less of a consideration, but things like the injection of malicious code, invisible amendments (e.g. censorship) to the underlying text, etc. were all pretty obvious.

    Anyway, the technique itself was far from novel when I started working on my PhD, but given the continued citations to papers that I published back (https://scholar.google.co.uk/citations?user=KK_EFSUAAAAJ&hl=en [google.co.uk]) then it seems to still be an area of active research.
  • A "vulnerability" implies that there is a problem that makes somebody vulnerable to something. Who is vulnerable to what in this case?

    Here's what won't happen: you won't give your login credentials to a third party. That's because your browser won't read any cookies from the original site, and Genius prevents you from typing into web forms.

    The author uses technical language without talking about what people do, how people interact, and what people care about. Instead, there's much ado about a variable calle
  • so they strip tags, which would prevent their copy from loading content like images from the original server? So what? That's needed for operation. And i guess nobody would actually annotate their online banking or webmail pages.

No spitting on the Bus! Thank you, The Mgt.

Working...