The UK version of the Huffington Post was vulnerable to an XSS flaw. This allowed any malicious user to inject images, video, text, and JavaScript into the page. Although the above image show a very silly use of XSS, it could quite easily be used to craft a page to encourage journalists and readers to enter their passwords - and then send them off to criminals. What's unusual is that it appears to be powered by Google Custom Search - which should really be robust against this source of…
Continue reading →
One of the most popular blog posts I have written is called "I Don't Want To Be Part of Your Fucking Ecosystem". In it, I rant against service providers trying to lock their customers into a monoculture. Companies are always looking for the edge which will make them stand out - they think that restricting what their users can do is the answer. It is not. Openness and network effects are the biggest drivers of usage - an MP3 bought from Amazon works on an iPod bought from Apple, and an MP3…
Continue reading →
There are some very sensitive souls on the Internet who object to seeing swear words. To that end, a huge industry has sprung up around "Profanity Filters" - services which claim to be able to detect naughty words and automatically redact them. The approach of dumbly looking for strings of text leads to a range of problems, including false positives (known colloquially as the Scunthorpe Problem). A common way to bypass these filters is to use homoglyphs - substituting a lower-case L for an…
Continue reading →
Take a look at the following text, looks normal enough doesn't it? "Harry ".draziw a si Potter Now, try to select the text and see what happens. WHAT WITCHCRAFT IS THIS?! If you examine the source code for this page, you'll see that I'm using the Unicode Bi-Directional characters. "Harry ‮".draziw a si ‭Potter These characters are useful when writing text that includes, say, English and Arabic - but they can also be used for malicious purposes. On a more mundane level, the…
Continue reading →
Search Engine Optimisation is the (dark) art of getting a site to the top of Google's ranking algorithm. If you're in the business of selling decorations for ponds, you want your shop to be right at the top of the results when people search for "bespoke synthetic frog spawn." The problem is, there are lots of people all playing the same game. So, what "unusual" tactics can be used to drive sites to the top? Yesterday, I looked at how homoglyphs like Il (capital i lower L) can be used to…
Continue reading →
Homoglyphs are characters that love each other very much look strikingly similar to each other. Can you quickly tell the difference between these two - O0? That's The capital letter "o" and the number 0. How about Il1|? Depending on the font used - and your attention to detail, it may be hard to spot the difference between all three. The sites homoglyphs.net and IronGeek are great resources for creating text which uses similar looking - but not identical - characters. Τһⅰѕ text may loоk lik…
Continue reading →
I've started seeing an uptick in Twitter spam - ostensibly from my friends telling me I can make money online. The common denominator is that they all use Pinterest as a vector for spreading the spam. Looking at the accounts of people who have recently tweeted these or similar messages, shows that the majority are real people - not automated spam-bots. So how is this happening? Checking the Tweet's metadata, the tweets all appear to come from the Pinterest service. This indicates two…
Continue reading →
Imagine, just for a moment, you were a computer. Take a look at the following sentence and try to work out where and how you should hyperlink the text. He said "You should visit http://example.com/!" Obvious, isn't it? Except, of course, it's not really that simple. There could well be a file named "!" on the webserver. Infact, there could be file named "!"" on there. And yet, to my tastes, it looks so ugly to write something like: Visit my blog (http://example.com/blog ) The space…
Continue reading →
I'm turning into an old curmudgeon. Either that, or the new wave of social marketing has severely missed its intended target. Let me ask you a question, do you want to be friends with your utility company? Your phone provider? Your soft drinks manufacturer? I don't mean "follow-on-social-media" friends - I mean actual buddies. On the face of it, that's a ridiculous question. You can no more be friends with a conglomerate than you can trust a politician. When your local MP comes knocking…
Continue reading →
It's always very tricky when people who aren't educators start banging on about what should or shouldn't be taught in schools. My own school days are but a hazy memory of hormones, angst, and boring homework. Yet here I am, pontificating. With the current "fad" of encouraging children to learn to code, I thought I would be worth looking at the difference between coding and computer science. History I learned the infamous Logo Turtle at school and BBC BASIC at home. That is learning to…
Continue reading →
Ever heard of Mydex? Here's how they describe themselves: Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data. Not just secure, but hyper-secure! They've been signed up by the UK Government to provide Identity Assurance. Pretty impressive, eh? Let's ignore the fact that their website doesn't use SSL and concentrate on …
Continue reading →
My mother loves her BlackBerry, even though it is one of my cast offs. Sadly, her ancient Torch finally gave up the ghost a few weeks ago. We spent some time trying to work out the best phone for her before, eventually, settling on.... another BlackBerry Torch! Why? My mum has an Android tablet which she likes very much. Her Windows laptop suits her needs fine. She admires her friends' iPhones and iPads. Yet she still chose the classic BlackBerry - not BB10 - over all the other phones…
Continue reading →
