Monday, December 15, 2008

Potential Social Exploit

So I was looking at my own private forum, when I ran across this:

"A username and password are being requested by http://www.usersigs.com. The site says: "www.radavatars.com."

Obviously radavatars/usersigs don't care for me linking my avatar pics to their site. I linked to it before there was a password, but now there is one. I can't blame them, I'm sure they use up a lot of bandwidth this way while receiving little recognition. With PHPBB v3 at least, you can simply create a new post containing an externally hosted picture with a login.

Cracked recently had fun with direct linking plagiarists
, but that's a side note.

However, what struck me was that inexperienced users are likely to have no clue what's going on. They just go to their favorite forum about cars or whatever and hopefully hit cancel. But some may be deceived into entering a sensitive password, especially for the site they are on, if the prompt looked more like this.
"A username and password are being requested by http://automotiveforums.securesite.cn:8080. The site says "Enter your Automotive Forums Login"

(This is not a real pic per se. I used my hosts file to make automotiveforums.securesite.cn point to my own web server. That is not a real URL and I don't know what securesite.cn is.)

The most secure way to verify a website is by an examining the SSL certificate. Most people don't do that, and in this case it doesn't apply. The 2nd best way is to analyze the URL. Based on the URL, you can determine that this is a Chinese site (not Canadian), belonging to whoever registered securesite.cn (could easily be a scammer), and the automotiveforums.* portion would be completely designated at will be the securesite.cn owner.

Of course, most people don't even now how to analyze a URL. When my aunt Bella wanted to register SingledOut.com for her book, it was already taken. Someone in my family asked me if she could register book.SingledOut.com. The short answer was, she couldn't.

So I can completely imagine somebody entering the automotive forums login, and the scammer website (providing the prompt) collecting the username/password once it is submitted.
I can also imagine somebody launching a massive denial of service attack on a forum by putting up countless images like this, that make the site unviewable.

So what are the solutions to this problem? The best solution would be to train users to analyze URLs. Sadly, all they often know is that they shouldn't trust emails, which often contain phony links.
Firefox makes it quite clear which site is telling you to enter the password, and that they are merely claiming you should.
Perhaps the best solution is for forums to not allow image links to require authentication, but that would require the forum software to connect to the site, and it may need to do that frequently. They already disallow hotlinking images frequently, but that is not perfect because they don't connect to the site.

I'm going to have to say that we need to train users. I wish the best of luck to those who have no real knowledge of internet security, as they will need it.

-Mike

No comments:

Post a Comment