Tag Archives: Breaking News

WP-OAuth Is Not Vulnerable to SpoofedMe Social Login Exploit

The SpoofedMe social login exploit is a known weakness of the OAuth2 “spec”. The OAuth2 spec doesn’t define strict implementation standards, so developers have free reign to come up with some pretty wild implementations, or hack together a few libraries until it works. And that’s where the problem lies. There is no standard. Furthermore, social login is something that is normally built on top of OAuth2, and there’s no standard for that either. Some folks are trying to standardize social login with OpenID Connect (I like to think of this as “OAuth2-Strict”), but until then we will be facing issues like SpoofedMe because developers are not gods.

The SpoofedMe exploit is actually similar to this one, from a Google security advisory earlier this year:

“An attacker could forge an OpenID request that doesn’t ask for the user’s email address, and then insert an unsigned email address into the IDPs response. If the attacker relays this response to a website that doesn’t notice that this attribute is unsigned, the website may be tricked into logging the attacker in to any local account.” –Link

Thankfully, I read the spec and decided not to implement this gaping security hole in WP-OAuth to begin with. Properly identifying users to perform the account match was one of the biggest design challenges that I encountered because not only were there numerous docs and specs to work through, there were a lot of existing implementations that did it wrong. I had to start from scratch.

A Major Google Analytics Problem is Brewing with Referer Spam (Semalt, buttons for website, 7makemoneyonline, darodar), and They’re Doing Nothing About It (TM)

I’ve noticed the same problem that others have been experiencing with Google Analytics lately – an influx of botnet referer spam from domains semalt.combuttons-for-website.com, darodar.com and 7makemoneyonline.com (the list continues to grow), making their way to the top of your “Top Referrals” list. This traffic is throwing off analytics and may have long term SERP implications. From the sound of it, most users are either having a difficult time filtering (excluding) the domains and traffic through Google Analytics, and/or resorting to blocking the domains via their .htaccess file.

This is a public service announcement.

DO NOT USE THE
SEMALT OPT-OUT FORM!!!

Instead, offer them a clue about what orifice they can stuff that form in.

While I’m not the best SEO guy around, I’d have to say this looks like a traffic stealing campaign where somehow, they are using an opt-out form to phish/harvest backlinks and/or SERP rankings from your domain, or upsell you on better analytics software.

Furthermore, it seems that users are being scammed by what I would call social engineering agents who work for Semalt and lurk on public forums to point users towards an opt-out form run by them, effectively phishing users through Google Analytics. You might say that Google Analytics has been compromised. And what better way for Semalt to sell their own analytics software than to game their largest competitor’s software and lure users away from it? Semalt is literally using Google Analytics for free clicks and advertising, completely bypassing Google’s own pay-per-click advertising model. Instead of the phishing scam hitting your email inbox, it’s hitting your analytics report.

Some of the referer URLs contain my own Google Analytics ID. For example – forum.topicXXXXXXX.darodar.com – where XXX is your Google Analytics ID. I’d say they are using a script to iterate through all Google Analytics ID’s starting with 0000000, effectively generating traffic and analytics records for every site on the web that uses Google Analytics. But that’s not all, once you visit that referer URL with your Google Analytics ID in it, you’ve just told the spammers that your Google Analytics account is alive and well. It’s probably the same thing Semalt is doing with their opt-out form.

In doing so, these spammers would have the ability to sway traffic one way or another throughout the entire Google Analytics ecosystem without wasting botnet resources on inactive or retired Google Analytics accounts.

Shouldn’t Google be upset about that? This is not just a new type of spam or black hat SEO, it is a new type of marketing warfare or analytics malware. Continue reading

Google Chrome’s New Bookmark Manager Offers Nothing New For Power Users

It’s November, 2014. Bookmarks look a bit different than yesterday.

“Oh boy”, you might say, “the new Bookmark Manager for Chrome has finally arrived!”

Let’s see what has improved since the “old” version. Clicking the Star (Add to Bookmarks) gives us a new popup:

chrome-bookmarks-1

Ok…let’s navigate into Add to folder. Here’s where things start to get prickly…

Continue reading

Don’t Fear the July 9th Internet Doomsday, Take Action Now!

On July 9th, 2012 the FBI will shut down a group of servers operated by a cyber crime ring who they’ve recently dismantled. These rogue criminals have jointly infected over 500,000 computer systems in the United States alone with variants of the “TDSS Alureon” malware. This malware redirects your computer’s internet traffic to servers that are run by those criminals, where they tailor your web browsing experience by injecting their own (risky and sometimes dangerous) search results, advertisements, products and services, hoping you’ll give them your money in one way or another.

Continue reading

WordPress Trouble: No plugins match your request

UPDATE: From the WordPress team: “This is a problem with api.wordpress.org. We’re working on it and should have it resolved momentarily.”

UPDATE 2: Issue has been fixed! I can now search plugins from the backend.

Woops! It looks like something broke with the core WordPress plugin search feature that is powered by WordPress.org.

One minute I was searching and installing plugins like normal and the next minute I was greeted with a confusing message:

“No plugins match your request.”

I was sure the plugin still exists so I went to WordPress.org to verify and sure enough it was there.

A few other users are actively reporting this problem at the WordPress.org forums. Check there to see what I and others are currently saying about it.

This is breaking news so I’m doing a quick post to help anyone else who might be searching Google for a solution. I’ll post an update once I know of one myself but I think it’s safe to say their search is broken for now!

Blackberry Outage Is Affecting Blackberry Enterprise Server (BES) Users

Over the past three days, millions of Blackberry users have been unable to send/receive email and surf the web. Now it’s a global problem with every major news channel and radio station touting the severity.

RIM has posted an official response which is being updated regularly, summing up the problem to an oversight with their email backup system.

Businesses who host their own Blackberry services using Blackberry Enterprise Server (BES) usually get by unscathed, since global outages like this rarely affect the synchronization infrastructure between a Blackberry employee and the company’s BES server.

However, today I can confirm that our BES system is being affected by this outage.

ComputerWorldUK also reports that BES users are being hit by the outage.

UPDATE: Service has been restored!!! Some time in the afternoon yesterday (~3:00 PM PST), all of the emails which had been held up on our BES system finally synced up with our handhelds.