Viewing Category: Security  [clear category selection]

Changing your Adobe email address

There is currently an error in the JSON parsing of saved user billing/shipping information on Adobe's My Information page. It causes the busy overlay to remain, preventing interacting with the forms beneath. The symptom of the problem looks like this:

Adobe My Info Bug Stuck Overlay

I wanted to get in there and change my email address from adobe@lamoree.com to adobe_blows@lamoree.com because I've recently been getting A TON of spam due to my email address being among the 150 million records in the Adobe data breach last November. Of course, I used a strong, unique password before the data was compromised, so I don't have to worry about my credentials on other websites (I recommend 1Password and LastPass if you're still playing loosey-goosey).

At any rate, this is the cause of the busy overlay being stuck on:

Adobe My Info Bug Javascript Exceptions

Perhaps my data was saved in an old format and their new web application can't parse it correctly. No matter, we can get around the problem by manually deleting that element from the DOM. Just open up the JavaScript console and execute the following:

$(".AdobeViewMask").remove();

Et voila! Now the form can be edited. You will receive an error when an Ajax validation attempt is made: "NetworkError: 404 Not Found - https://www.adobe.com/svcs/accounts/accountstatus/adobe_blows@lamoree.com?_=1393805436151" Apparently, they don't use that account status check anymore. Regardless, the form will save the new email address and allow the verify address link to be visible and clicked.

Adobe My Info Bug Overlay Removed

This is yet another reason I recommend creating a unique email address for every website on which you create an account. Seriously, consider it if you have the ability to run your own mail servers. It's interesting to see when specific vendors leak their user's data -- sometimes before they know of the issue or acknowledge it publicly.

Additional thoughts on SQL injection attacks

This is a short follow-up to my post on Friday about a SQL injection attack against this blog. Since the beginning in 3 Feb 2010, I've logged 17663 attempts. This the first hit from 94.142.131.77 (Latvia Cesis Sia Css Group):

94.142.131.77 - - [03/Feb/2010:03:33:49 -0800] "GET /machblog/index.cfm?event=showEntriesByCategory&categoryId=-1'&categoryName=Tomcat HTTP/1.0" 200 19689 "-" "Mozilla/4.0 (compatible; Synapse)"

Compared that to the most recent request from 68.12.167.207 (United States Phoenix Cox Communications Inc.), showing the forwarding response:

68.12.167.207 - - [05/Aug/2013:09:51:16 -0700] "GET /machblog/index.cfm?event=showcategoryrss&categoryid=-1%27&categoryname=cygwin HTTP/1.0" 302 354 "-" "Mozilla/4.0 (compatible; Synapse)"

They didn't initially URL-escape the single-quote character. Maybe they intended to, but for whatever reason, their script failed to operate as intended. Just in case, I'll update my protection to catch both situations:

RewriteCond %{QUERY_STRING} (=-1%27|=-1') RewriteRule ^ http://www.google.com/? [R=301,L]

Since I added the parenthesis characters for the logical group match, I no loner need to escape the equals character. I guess that would have been another way to escape the equals character without using the backslash. If you felt so inclined. Also, thinking about it a moment, I might not want to forward the user agent to Google with the original query string. I can achieve that by appending a question mark to the destination URL. Finally, I probably want to use a HTTP 301 permanent redirect response, just in case Apache Synapse will do something special with that status code, like remove it from a queue. Doubtful.

A distributed SQL injection attack

My blog has been sending a few hundred exception alerts for the past couple days, which is not uncommon. Every poorly scripted crawler and buggy RSS parser sends malformed URLs that throw an exception because something isn't a proper UUID. I have become quite accustomed to ignoring all that nonsense. However, this most recent batch was different. It was a deliberate attempt to find an SQL injection flaw. For example, instead of sending /machblog/index.cfm?pageId=foo they sent /machblog/index.cfm?pageId=-1%27. And for URLs with more than one argument, they tried the premature close-quote trick for each value. It's not clear to me how they would recognize a successful exploit was executed. There is no payload following the quote character. Maybe their attack isn't fully written, or perhaps they're looking for a response that is specific to a particular application.

The more interesting thing was where the hits were coming from. Here are a sample of hits from a couple hours:

From all over the world, somebody really wanted to exploit my little blog. It was pretty easy to identify these as all being part of the same attack system because the HTTP headers sent were identical. They appear to be using the Apache Synapse project to launch and manage the URLs. To deal with it, I just created a simple Apache HTTP rewrite rule to forward them to Google:

RewriteCond %{QUERY_STRING} \=-1%27 RewriteRule ^ http://www.google.com

Note how the regex must have a leading backslash to prevent the "special variants" in the RewriteCond condition pattern from treating =-1%27 as meaning lexicographically equal to "-1%27". It's a subtle detail, but makes all the difference.

Some day, I'll upgrade my blog to NGINX + Current Tomcat + Current Railo + ContentBox from Apache + Old Tomcat + Old Open BlueDragon + MachBlog. Until then, I just need it to soldier on.

Oh, I see you've been hacked.

I create unique email addresses for each web service for which I register. This helps me to eliminate spam; if an email address is given away to a marketing firm, I can delete or change the address. For example, I signed up for a service at Equifax a couple years ago. As I filled out the registration form, I created the email address equifax@lamoree.com, which only that organization would ever have on record. This sometimes leads to humorous telephone conversations when I tell a representative that my email address is {your-company-name}@lamoree.com. Recently, I noticed a huge amount of spam -- the really crappy kind for online pharmacies and mail-order brides -- sent to equifax@lamoree.com. The most likely explanation is that Equifax, or a marketing company with whom they do business, recently lost control of their user database. I also create a unique password for every service, so I'm protected against common credential attacks, thank goodness. It's kind of interesting to see how many companies leak my "personal" data. Quite often, this happens when companies run into financial trouble and start partnering with shady characters.

The average internet user probably doesn't own their own domain, operate their own mail server, and maintain a LDAP database with thousands of email aliases. Another option, if your email provider supports it, is to use plus addressing to create different addresses for filtering. This isn't ideal because it's trivial to strip the characters following the plus character, if a spammer was so inclined. Some email providers allow wildcard subdomains, but that's not quite as common and still requires control of the domain name.

Password Managers

I'm often asked which password manager I use. Almost a decade ago, I actually wrote a web application that stored passwords in a blowfish encrypted file. It worked well, but it required internet connectivity and had a tiny feature set. I switched to 1Password a few years ago. It is a pleasure to use, and it synchronizes using a simple one-encrypted-file-per-entry database using DropBox. All my Macs, my iPhones, and my DROID are in sync. I have about 300 user accounts, software registration codes, and whatnot. They now have a Windows version, but I haven't tried it.

For occasions which require the use of Microsoft Windows, I use KeePass. It's an open source project that has been around for a long time, and is still active. It uses the Microsoft .NET Framework, but it's a rare Windows machine that doesn't have that installed already.

If I were to start managing passwords today, I would probably pick LastPass. It's a quality product, and the company behind it is first class. Also, Steve Gibson uses LastPass, which says a lot for any product.