• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: AppleScript & HTML Again...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AppleScript & HTML Again...


  • Subject: Re: AppleScript & HTML Again...
  • From: Michael Terry <email@hidden>
  • Date: Sun, 28 Mar 2004 10:34:12 -0800

On Mar 26, 2004, at 5:22 PM, John C. Welch wrote:

<sigh>

Okay, how to use Missing link as a trojan.

Step one, write a nominally interesting application that claims to do
something that someone might want. Say, oh, like my useless little "Set
iChat Status" application. You only need to get a few people to want it.

Wrap it in an apple installer.

Part of that Apple installer is missing link. I'd bury it in ~/Application
Support, no one ever looks at what's in there

You then have the installer add the appropriate information in launch
services.

So now, you have modified a URL handler for that user's login.

But wait, we're not done yet, because hey, we're going to be evil here, and
being evil's what I'm good at.

We're going to rely on the ignorant herd mentality of Mac users, and their
arrogance, and ask them to authenticate. Only, it's not going to be a real
authentication dialog. Oh, It will look and act like one, but all it's
really doing is getting that all important administrator password.

Now, we own the machine.

"Hey silly arrogant mac user who thinks that what is about to happen to you
ONLY happens to windows users, could you please come to my web site and
regisiter? That's it click on the "register me" link.

Sucker!

PWN3D!

Because while you're filling in some l@m3r form about who you are and where
you live, (cha, like I care), the javascript you just kicked off is talking
to missing link. With your password. And missing link is talking to my
trojan. And my trojan is talking to cron.

And sendmail.

And dscl.

And we're adding a few things. And making a few small changes.

Because in six months, all hell is breaking loose, and the windows folks are
going to laugh themselves into a coma at all the mac users crying as their
computers suddenly start doing all sorts of bad things.

Is THAT clear enough?


Yes, perfectly. It's clear that nothing in particular about Missing Link invites trojans. Your example relies on the user being duped by what appears to be a legitimate, innocuous application and application installer. Missing Link is incidental to the evil of the story. There are plenty of easier, more direct methods of ruining a user's day if he trusts an application developer. I'm asking for an example using the current system, as is, that makes it riskier than other applications.

On Mar 26, 2004, at 5:22 PM, John C. Welch wrote:

It's not worthless if you consider that one of the objectives of security is
verification. This isn't like Address Book or mail having a fit. I have to
take a lot of manual action to script those. Missing link allows anyone who
guesses right to start applications on your system without any user
intervention beyond setup, and that's trivial to do. It can also be used to
start applications that DON'T show up in the dock, and it can all be
initiated from a web page on some server in Pago Pago.

And it wouldn't render missing link worthless. You'd still be able to launch
stuff with it. There'd just be that extra step to confirm that you, the
human at the keyboard, wanted this to happen. Or, you could require that any
application launched by missing link be MANUALLY entered into a list of
"known applications" that missing link would talk to. THAT would eliminate
much of the badness, and really effectively cripply my trojan scheme, since
you can't script an applet easily.


Missing Link is supposed to be a tool of convenience. Requiring a password for every link clicked would make it more inconvenient than it's worth. If you created a front end to a bunch of AppleScripts, the links and buttons of the web page being the interface, you'd have to deal with a password dialog every time you activated an interface item.

The whitelist idea would be less burdensome, but not burdenless, and still not worth the nearly infinitesimal risk[1].

In fact, the security measure that Peter suggested for personal use, whereby Missing Link's default url protocol is changed, isn't nearly as dumb as was made out. Actually, it's not dumb at all. A cracker could never guess the custom prefix. Compare it to cracking a password: Given sufficient time and the appropriate software, a cracker can break any password by continual guessing. That's not possible here because there's never any feedback. Even if a cracker somehow lured a user into downloading his subversive web page a million times and clicking his shady links, the cracker would never know if he were successful. Of course, the example should suggest some other possible roadblocks this prospective cracker will run into, ones which, in my view, make even the minor additional precaution of a custom url protocol unnecessary.

Mike

PS - Just to reiterate, since there still seems to be confusion by some: Missing link doesn't download AppleScripts, nor does it run AppleScript code embedded in web pages, nor does it communicate with any remote software, JavaScript or otherwise, at any time. Cutting your network cable with a pair of garden shears will not interfere with its normal use. Missing Link only communicates with HTML pages, and these pages are always already on your hard drive (or network server attached as part of your filesystem).

[1] Earlier in the thread, I have already outlined the only Missing Link-specific risk I know of, and won't repeat it again here.
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.


  • Follow-Ups:
    • Re: AppleScript & HTML Again...
      • From: "John C. Welch" <email@hidden>
References: 
 >Re: AppleScript & HTML Again... (From: "John C. Welch" <email@hidden>)

  • Prev by Date: Re: Scope of a property...
  • Next by Date: Re: EXIF, Image Events & AS
  • Previous by thread: Re: AppleScript & HTML Again...
  • Next by thread: Re: AppleScript & HTML Again...
  • Index(es):
    • Date
    • Thread