E-Dribble » hosting http://www.infosprite.com vaccuum packed mindless ramblings Tue, 17 Aug 2010 21:33:44 +0000 en hourly 1 http://wordpress.org/?v=3.0.1 There’s one in the spotlight, he don’t look right to me… http://www.infosprite.com/2008/11/23/theres-one-in-the-spotlight-he-dont-look-right-to-me/ http://www.infosprite.com/2008/11/23/theres-one-in-the-spotlight-he-dont-look-right-to-me/#comments Sun, 23 Nov 2008 20:10:00 +0000 schwim http://www.infosprite.com/?p=220 I was forwarded a security notice by one of my competing webhosts(one of the few that I have yet to crush in my quest for world domination) concerning DaGoog.  Yes, it seems that there is another incredibly severe vulnerability, this time nefariously perpetrated by the same company that promised you that they would do no evil.

Nah, I’m just kidding.  It’s just a bunch of blow-hard asshats that have found yet another scenario that will never actually happen to hear themselves talk.

The Register(UK based) wasted one more page on it than I will, allowing these devil’s advocate dipshits a platform to play what-if. I’ll give you the straight-up scoop, condensing the notice to a minimum length, while retaining the implications:

If Google wanted, they could use the javascript embedded for Analytics to do bad things on your site.

Left unsaid, but equally important are these notices:

1) If your webhost wanted, they could do bad things on your site.
2) If your ISP wanted, they could do bad things on your site.
3) If an employee with access wanted, they could do bad things on your site.
4) If someone is looking over your shoulder when you access a restricted portion of your site, they will be able to do bad things on your site.
5) If someone finds your password cheat-sheet, they will be able to do bad things on your site.

I could keep going, but no matter how hard I tried, I couldn’t come up with any more asinine possibilities than our quoted security experts have come up with.

It’s true.  If Google wanted to alter their code to introduce a malicious payload on a site using their analytics system, they could.  They could also hire ninjas to enter the NOC and steal your physical server.  They could also beat you up for your lunch money.

Dinis Cruz states “If I wanted a backdoor into the website, this would be one of the best ways to do it. It would allow somebody who knew about this to drop a payload in a way that almost wouldn’t be detected.“

For those that missed it, Dinis is proposing that the easiest way to compromise a site is to get a job at Google cleaning cubicles, work your way up to a position in which you have unmitigated control over the production code that Google uses and then alter it to access a restricted area on a site via a vulnerability you introduced.

An added bonus to this method is that you get to ride the Segways on the Google campus and have a certified organic vegan salad for free.

]]> http://www.infosprite.com/2008/11/23/theres-one-in-the-spotlight-he-dont-look-right-to-me/feed/ 0