Definition:
Pseudo:
Not actually but having the appearance of; pretended; false or spurious; sham.
Security:
Freedom from danger, risk, etc.; safety.
With those definitions, pseudo-security is a method of securing something that looks secure, but is in reality insecure. A real life equivalent is having a non-working camera in your shop. While these methods prove effective for the most part, the bite hard the day someone sees though it.
Preface:
I love the comic Calvin and Hobbes, I was on their site reading comics. To my dismay, you must pay to read ones older than thirty days old. I have no problems paying for good services, but I noticed some flaws in their method of keeping the client from reading older comics. Here is a video in how to completely bypass it.
Here is how I did it, you can replicate this exactly using firefox and firebug while viewing a comic over thirty days old.
http://www.justanotherportfolio.com/Comic.swf
The problems:
The comic is in view, they did not conceal it on the server’s end. This means that the image has been sent to the browser and they are merely hiding it using client side visuals. In the olden days, it would be
really hard to bypass this, but not in this day and age with lots of really cool firefox gadgets. All it took was firebug to delete three divs and boom, I can access the page.
Moral of the story:
If you want to hide data from a user, their browser is a terrible place. While HTML seems straight forward, it is not. If it has been given to your browser it
can be edited, that simple. Be it HTML, CSS, Javascript or even images, if the browser handles it, it can be edited. Now this does not mean you can inject server side scripts into it because the server does not take orders from this. The client side is all you are able to tinker with since the browser responds to your commands. The problem is many web developers are not aware that this type of thing can be done so easily. When developing applications, you have to assume the role of a cracker who wants to mess with your site. You will find many thinks on security that are not necessarily in books or tutorials.
The other moral of the story:
Even large companies make mistakes; no matter how large you are you are at the mercy of your web developers. The former web developer of the company I work at is on a high seat with RETS (Real Estate Transaction Standard). He is an awful developer who really does not know what he is doing. However, he is a master talker and hires people who know less than him. They at this time have no real idea about this; they think he is an expert. All it takes to become a big shot web developer is smooth talking and the reviews of a manager who may not know that the application you built was crap. Never assume just because the company has money that they have a good site.
What could they do right?
The one and only way to truly conceal data from the client is to not give it to them at all. The script
should have a server side check that will not display the comic if they are not paying members, they should not use client side blocks as they can be removed. However, what should be removed is the person who though up this pseudo-security method. It took me about thirty second to think up how to bypass it and two minutes to find a few different ways of doing it. If you have people who stand on security methods like that, you need someone else. Not because of this alone, falling like that shows a lack of real experience in how a cracker will approach your site, therefore I can not imagine it is the only flaw in the site and code.
Just a security lesson for your web development endeavors. Best of luck and don’t be caught with your pants down; be secure
Join the friendly bunch on IRC...
Pseudo-Security
Linear Mode
