Re: AppleScript & HTML Again...
Re: AppleScript & HTML Again...
- Subject: Re: AppleScript & HTML Again...
- From: "John C. Welch" <email@hidden>
- Date: Fri, 26 Mar 2004 19:22:29 -0600
On 3/26/04 4:28 PM, "Michael Terry" <email@hidden> wrote:
>
Again its clear you either haven't read or haven't understood anything
>
I've said. Again the scary-sounding generalities. Be specific, big guy:
>
How exactly would a remote host click links in my web browser without
>
my initiating it? Even if it could, what exactly do you imagine the
>
link clicking could do to the target's machine? Missing Link doesn't
>
execute any sort of random code, JavaScript or AppleScript. All it does
>
is launch stuff that's already on your computer.
<sigh>
Okay, how to use Missing link as a trojan.
Step one, write a nominally interesting application that claims to do
something that someone might want. Say, oh, like my useless little "Set
iChat Status" application. You only need to get a few people to want it.
Wrap it in an apple installer.
Part of that Apple installer is missing link. I'd bury it in ~/Application
Support, no one ever looks at what's in there
You then have the installer add the appropriate information in launch
services.
So now, you have modified a URL handler for that user's login.
But wait, we're not done yet, because hey, we're going to be evil here, and
being evil's what I'm good at.
We're going to rely on the ignorant herd mentality of Mac users, and their
arrogance, and ask them to authenticate. Only, it's not going to be a real
authentication dialog. Oh, It will look and act like one, but all it's
really doing is getting that all important administrator password.
Now, we own the machine.
"Hey silly arrogant mac user who thinks that what is about to happen to you
ONLY happens to windows users, could you please come to my web site and
regisiter? That's it click on the "register me" link.
Sucker!
PWN3D!
Because while you're filling in some l@m3r form about who you are and where
you live, (cha, like I care), the javascript you just kicked off is talking
to missing link. With your password. And missing link is talking to my
trojan. And my trojan is talking to cron.
And sendmail.
And dscl.
And we're adding a few things. And making a few small changes.
Because in six months, all hell is breaking loose, and the windows folks are
going to laugh themselves into a coma at all the mac users crying as their
computers suddenly start doing all sorts of bad things.
Is THAT clear enough?
>
>
Having Missing Link put up password dialogs, aside from being worthless
>
from a security standpoint, would also render MAGS ng Link worthless as
>
a tool of convenience.
It's not worthless if you consider that one of the objectives of security is
verification. This isn't like Address Book or mail having a fit. I have to
take a lot of manual action to script those. Missing link allows anyone who
guesses right to start applications on your system without any user
intervention beyond setup, and that's trivial to do. It can also be used to
start applications that DON'T show up in the dock, and it can all be
initiated from a web page on some server in Pago Pago.
And it wouldn't render missing link worthless. You'd still be able to launch
stuff with it. There'd just be that extra step to confirm that you, the
human at the keyboard, wanted this to happen. Or, you could require that any
application launched by missing link be MANUALLY entered into a list of
"known applications" that missing link would talk to. THAT would eliminate
much of the badness, and really effectively cripply my trojan scheme, since
you can't script an applet easily.
Yeah, this is all esoteric stuff, but have you ever heard of a little thing
called MacHack?
john
--
"It is better to live one day as a lion than a hundred years as a sheep."
- Italian proverb
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.