« JSON + eval(): Owning the Dashboard | Main | More on widgets: Exploring the Network »

Show me a JSON-based Widget...

... and I show you an unguarded eval().

Today's examples:

  • The Facebook Widget accesses about a dozen facebook APIs through JSON. It's based on the facebook JS Library. And guess what the parseJSON routine in that library really is? This widget runs with the AllowFullAccess configuration option set.
  • The Flickr Interestingness widget is another culprit. This one only runs with the AllowInternetPlugins flag; if subverted, it might give an attacker access to, say, the latest Quicktime hole. Don't think it's enough to secure your browser.
  • The Hockey Widget doesn't do JSON; instead, it loads some web page and parses an embedded script by, you guess it, feeding it to eval(), after some minor searching and replacing. AllowNetworkAccess is set.

The bad teaching award of the day goes to the AOL Xdrive developer documentation: The Open XDrive Usage Meter of course accesses XDrive through JSON, and of course it uses eval() to parse. It has a sibling Windows Vista sidebar gadget; same problem. By the way, the security model for these gadgets gives access to ActiveX controls that are not marked "safe for scripting".

Questions?

Posted by Thomas Roessler on December 4, 2007 4:54 PM |

TrackBack

TrackBack URL for this entry:
http://log.does-not-exist.org/mt/mt-tb.cgi/2112

Comments (2)

olivier:
Is this the cue for "deliver us from eval"? (sorry)

Posted by olivier | December 5, 2007 1:25 PM

Posted on December 5, 2007 13:25

C. M. Sperberg-McQueen:
In the opening plenary of XML 2007, Doug Crockford spoke eloquently of the security problems of the Web. I asked him, if he cared about security, what could have possessed him to promote a notation like JSON that was most easily parseable using eval(), and thus tempted developers to open their code to Javascript injection attacks. His answer was that "well, whenever you load an HTML page, your browser executes whatever code it contains. So it's no worse than things were before." If JSON is being used in widgets, though, it would seem to be making things a lot worse than they would otherwise be. Thanks for the examples.

Posted by C. M. Sperberg-McQueen | December 21, 2007 3:13 AM

Posted on December 21, 2007 03:13

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on December 4, 2007 4:54 PM.

The previous post in this blog was JSON + eval(): Owning the Dashboard.

The next post in this blog is More on widgets: Exploring the Network.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.35