Wednesday, December 29, 2010

This is why we can't have nice and secure things...

I recently received an invite for "shtyle.fm".   If you never heard about it, you are in good company, as it can best be described as "Myspace's retarded cousin".

So when I got the request from a family member to look at her pictures on there, I reluctantly started the sign-up process, making sure to only use throw-away info....  until this screen stopped me dead in my tracks.

Some facts about this screen that may to seem obvious at first glance:

  • It's a mandatory part of the sign up process
  • It promises a free virtual teddy bear! 
  • It requires you to fill in the credential of a real email account.
  • It validates the credentials, and throws an error if you give it fake information
  • The information is submitted and transmitted in the clear, over http, without any encryption (although the page seems to include an unused JavaScript implementation of RSA for some reason)
  • The page has (at least) a XSS vulnerability: Enter "+alert(1)+" in the email box (with quotes) and see what happens.
  • In case a connection is successfully made, the application will sift through your inbox for email addresses of your friends and send them personal invites in your name
Are we scared yet?   No?  Neither seems to be the thousands of happy users on that site.

The security professional in me gets the shills, but the social human in me appreciates the service provided here.  It provides a different view on your friends and acquaintances:

If you are somebody who gives up your credentials to anybody who asks, than that indicates how reliable you are.  Don't count on borrowing my car keys.
If you consciously sell out all your friends for the promise of a virtual teddy bear,... I think that says something about your moral value system.

No comments: