Re: AppleScript & HTML Again...
Re: AppleScript & HTML Again...
- Subject: Re: AppleScript & HTML Again...
- From: Michael Terry <email@hidden>
- Date: Sun, 28 Mar 2004 10:34:12 -0800
On Mar 26, 2004, at 5:22 PM, John C. Welch wrote:
<sigh>
Okay, how to use Missing link as a trojan.
Step one, write a nominally interesting application that claims to do
something that someone might want. Say, oh, like my useless little "Set
iChat Status" application. You only need to get a few people to want
it.
Wrap it in an apple installer.
Part of that Apple installer is missing link. I'd bury it in
~/Application
Support, no one ever looks at what's in there
You then have the installer add the appropriate information in launch
services.
So now, you have modified a URL handler for that user's login.
But wait, we're not done yet, because hey, we're going to be evil
here, and
being evil's what I'm good at.
We're going to rely on the ignorant herd mentality of Mac users, and
their
arrogance, and ask them to authenticate. Only, it's not going to be a
real
authentication dialog. Oh, It will look and act like one, but all it's
really doing is getting that all important administrator password.
Now, we own the machine.
"Hey silly arrogant mac user who thinks that what is about to happen
to you
ONLY happens to windows users, could you please come to my web site and
regisiter? That's it click on the "register me" link.
Sucker!
PWN3D!
Because while you're filling in some l@m3r form about who you are and
where
you live, (cha, like I care), the javascript you just kicked off is
talking
to missing link. With your password. And missing link is talking to my
trojan. And my trojan is talking to cron.
And sendmail.
And dscl.
And we're adding a few things. And making a few small changes.
Because in six months, all hell is breaking loose, and the windows
folks are
going to laugh themselves into a coma at all the mac users crying as
their
computers suddenly start doing all sorts of bad things.
Is THAT clear enough?
Yes, perfectly. It's clear that nothing in particular about Missing
Link invites trojans. Your example relies on the user being duped by
what appears to be a legitimate, innocuous application and application
installer. Missing Link is incidental to the evil of the story. There
are plenty of easier, more direct methods of ruining a user's day if he
trusts an application developer. I'm asking for an example using the
current system, as is, that makes it riskier than other applications.
On Mar 26, 2004, at 5:22 PM, John C. Welch wrote:
It's not worthless if you consider that one of the objectives of
security is
verification. This isn't like Address Book or mail having a fit. I
have to
take a lot of manual action to script those. Missing link allows
anyone who
guesses right to start applications on your system without any user
intervention beyond setup, and that's trivial to do. It can also be
used to
start applications that DON'T show up in the dock, and it can all be
initiated from a web page on some server in Pago Pago.
And it wouldn't render missing link worthless. You'd still be able to
launch
stuff with it. There'd just be that extra step to confirm that you, the
human at the keyboard, wanted this to happen. Or, you could require
that any
application launched by missing link be MANUALLY entered into a list of
"known applications" that missing link would talk to. THAT would
eliminate
much of the badness, and really effectively cripply my trojan scheme,
since
you can't script an applet easily.
Missing Link is supposed to be a tool of convenience. Requiring a
password for every link clicked would make it more inconvenient than
it's worth. If you created a front end to a bunch of AppleScripts, the
links and buttons of the web page being the interface, you'd have to
deal with a password dialog every time you activated an interface item.
The whitelist idea would be less burdensome, but not burdenless, and
still not worth the nearly infinitesimal risk[1].
In fact, the security measure that Peter suggested for personal use,
whereby Missing Link's default url protocol is changed, isn't nearly as
dumb as was made out. Actually, it's not dumb at all. A cracker could
never guess the custom prefix. Compare it to cracking a password: Given
sufficient time and the appropriate software, a cracker can break any
password by continual guessing. That's not possible here because
there's never any feedback. Even if a cracker somehow lured a user into
downloading his subversive web page a million times and clicking his
shady links, the cracker would never know if he were successful. Of
course, the example should suggest some other possible roadblocks this
prospective cracker will run into, ones which, in my view, make even
the minor additional precaution of a custom url protocol unnecessary.
Mike
PS - Just to reiterate, since there still seems to be confusion by
some: Missing link doesn't download AppleScripts, nor does it run
AppleScript code embedded in web pages, nor does it communicate with
any remote software, JavaScript or otherwise, at any time. Cutting your
network cable with a pair of garden shears will not interfere with its
normal use. Missing Link only communicates with HTML pages, and these
pages are always already on your hard drive (or network server attached
as part of your filesystem).
[1] Earlier in the thread, I have already outlined the only Missing
Link-specific risk I know of, and won't repeat it again here.
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.