Jul 7, 2013

"Book license"

Looking through some old, historical software packages, found a very interesting license, called "Book license". No full text anywhere, unfortunately, so just an excerpt:

"You must treat this software just like a book ... [it] may be used by any number of people ... may be freely moved from one computer location to another, so long as there is no possibility of it being used at one location while it's being used at another."

Nice, isn't it?

Jul 6, 2013

Break in using the "signup key"

Today I read several reports about a break in technique that attackers used to compromise user accounts of several large online companies. Two of them, for example, are Facebook and Dropbox. I read also about others because I was interested if there are more cases like this.

The general idea is that the service gives you, a legitimate user, a chance to change access to your account by sending you a link with a profile id and a certain key, which looks like 27934e96d90d06818674b98bec7230fa (this particular key is not random, if you search for it, you will find another interesting information to educate yourself). Next the code takes the key, searches the database for the key. If the key exists, it signs-up/resets/resends/does-whatever-else-to-give-you-the-access to the profile identified by the profile id in the link.

Can you spot the problem in this logic?

The code checks that the key exists but it does not check that it belongs to the profile in question. So if you got the key, you can reset anyone's password and get access to his account only by using a different profile id. This seems like an obvious error. Yet the programmers of many large companies fail to see it and implement the "reset" functionality correctly.

Now you know what to avoid in your implementation. Are you running to patch your code already? You should!