Back to top

Cross Site Request Forgery in Tumblr "Ask a Question" feature

This might be the first nerd-blog post in a long time, so my apologies if I startle anyone. As a quick update, I wrote a book on security in Drupal and then founded a company focused on Drupal security services and then sold that company to Acquia where I currently work.

So....Tumblr is a big deal. They apparently have 120million users and are totally awesome.

I was trying Tumblr out for a site and noticed that many of their interactions relied 100% on Javascript for a "delete/cancel" confirmation. I fired up my handy-dandy browser tools and inspected the http headers associated witih deleting a message. Turns out that it's vulnerable to a cross-site-request-forgery. In general Tumblr uses the token-synchronizer csrf prevention (as documented on OWASP). I'm not necessarily saying they copiedOWASP or were inspired, just that it follows the pattern of using a second form token that is sent on all requests for a session. They do not use a different token per form/action: once you get the anti-CSRF-nonce it's the same for multiple different operations. Their token is called the form_key.

Want to see the problem in action? I even made this handy dandy movie of the problem:

Category: 
Peeps Involved: 

Initial Thoughts on the Kindle Fire

So, a few weeks back my Kindle Fire arrived and I started jotting notes as I opened it and used it. Here's the collection:

  • The un-boxing was surprisingly pleasant: minimal plastic, lots of recycled elements, no user-manual (it's on the device!). The package was about 2.5 inches tall and about 2 inches of that was empty, with a small cardboard elevating the kindle above the empty space that contained a small USB cord.. Why ruin the experience with all that empty space?
  • The USB Cord...it's a "wallwart" with a micro-usb on the end. I'm super excited that the device uses the current standard micro-usb b as its source of power and connectivity but what a waste to send me a cable connected to a wall-wart. I'd be way happier with something like this wall-usb and standard usb cable.
  • I now have learned that this wallwart USB outputs more than normal power, so it can't be a normal device. That kinda...sucks. If it uses different power I would almost rather have a different plug just to make that clear (though apparently the size lets me power it up slowly via computer if I'm in a bind). I wish it would take normal micro-usb power form a normal cable even if that means slower charging.
  • The power button is on the bottom right next to the USB port and headphone port which makes it easy to accidentally press it when you connect/disconnect your headphones/usb plug. To solve this, I've started using it upside down which means I type my password upside down when I unlock it. Of course the screen flips once it's unlocked, but now the sound comes out the "bottom" and gets my stomach messy with it's messy, messy sound.
  • The screen is pretty awesome. Very bright and crisp.
Category: 
Peeps Involved: 

Android Apps I actually Use

I recently had to reset my entire phone deleting all contents (different story). In the process I wrote down the old apps I had that I liked so I could reinstall them after wiping it. I was surprised how easy it was to do that and how all my contacts/mail/calendar being associated with my Google account made the whole process simple.

So, in case you're interested, here's the list of apps I actually reinstalled:

Category: 
Peeps Involved: 

Selling something for free on craigslist - for economists

I recently gave away an ugly backyard shed for free on CraigsList provided the person came to pick it up. Within minutes of posting the item I got 7 emails. I deleted the post immediately. I responded to the person who seemed best able to take it (she had a tiltable trailer with a winch on it) and set it up for Saturday. She failed to show saturday, so scheduled Monday. She failed to show Monday, but came Tuesday. I wasn't too worried about which day she came but did want it gone.

The 9.5 foot wide shed was at the end of a 20 foot long concrete pad that was 10 feet wide with a tree on one side and my garage on the other side. At the end of the pad was my alley. So she had to thread the shed down the pad between the tree and the garage without hitting anything, turn the corner at the end of the pad so it could be loaded onto her 20 foot long trailer. The winch on her trailer was broken. It took my battery charger, several screws and boards I had handy, and a few hours of my time to get the thing loaded on her trailer. Her truck hit my neighbor's fence and left tracks in the alley. I am not happy about that.

Structuring better "free" sales for Craigs List

If you are giving something away for "free" as long as they pick it up, I suggest you keep the listed price at zero and keep the title as "Free" but then in the details and in your communication with the person strike a slightly different deal: they pre-pay you $100 for the privilege of taking it for free which you decide whether to keep or give back. If their removal of the item meets your standards then you promise to give back the $100. If they ruin something or break something or - worst - abandon the pickup you keep the $100 to help pay for whatever the problem is.

My theory is that this will reduce the demand to only serious people who will show up on time, with the right tools/equipment to get the item.

Category: 
Peeps Involved: 

Pages

Subscribe to Knaddison.com RSS