Latest News
12 months ago - Comments (View)
Last night while I was working on Plurker, I got a chance to see some really interesting stuff happening.
The full details are here: Plurk Post Phantom - mypleeps.com
Essentially, users were clicking what they assumed to be harmless links posted by their friends, and suddenly had strange posts appear in their timelines under their names that they never actually posted.
I had two theories:
The attacker had figured out how to spoof posts using some yet undiscovered API call (which was infuriating to me, because I’m pretty sure I’ve mapped most of them).
The attacker had crafted a malicious link for users to click that stole the user’s cookies (simply, the mechanism that tells Plurk you are who you say you are without actually logging in). The attacker could then use that cookie and become you.
Theory #1 was ultimately very very grim. No one would be safe if this were the case.
Theory #2 was a little better, and quite a childish attack. You could defeat it simply by logging out and back in. But both of these still cast a dark shadow over the Plurkosphere for me.
I was delightedly wrong.
Your Plurk logins, passwords, and timelines are safe. This is an incredibly simple ‘hack’ (if you could call it that), and it DOES use Plurk’s API.
Without getting too deeply into the nitty gritty, when you post a Plurk to your Timeline, it makes a ‘behind-the-scenes’ web request to this url: http://www.plurk.com/Timeline/addPlurk .
That URL requires at least two things before it’ll actually post a plurk for you.
- a Qualifier (is, has, thinks, etc)
- Content, or the actual message
Normally, you never see this, because it’s in the background. But it’s easily possible to make that call yourself by typing those requirements into your browser’s url, like so (click this only if you’d like to show your love for Plurker!):
http://www.plurk.com/TimeLine/addPlurk?qualifier=says&content=I%20Love%20http:%2F%2Fblog.plurker.org
As you can see from the link above, two portions are of interest: qualifier and content. We pass the values in and like magic, a post appears.
You can defeat this pretty simply. When hovering over the link, look in your browser’s status bar and look at where the link is pointing. Be careful about where you click. And if there’s any links pointing to plurk.com, only go to the ones with /p/ or /user/ in them (those are individual plurk pages and profile pages).
So how can the A-Team fix this? They simply need to ensure that any plurks being added to the timeline are coming from a POST request.
It’s been great playing detective with everyone!
I’m Keith Hanson, the developer for Plurker.
blog comments powered by
blog comments powered by
about Plurker
Beta Progress: 0%
Plurker is an up and coming Windows WPF Desktop application that
interfaces with Plurk.com to
bring Plurking to desktops everywhere.
Plurker aims to bring much more organization to your Plurk timeline
by allowing you to create windows that filter plurks using simple e-mail
like rules. This combined with many more features makes Plurker stand out above
the rest.
Features
- We are not evil. :)
- Super-fast searching
- Organized Plurking
- Manageable Responses
Click here for a full feature list
- Support for everything you can do on Plurk.com and More
- We are not Evil:
- Written by a professional Developer with years of experience
- Solid Custom Plurker API won't overload Plurk
- Plurker API acts exactly like Plurk.com's Timeline
- We're serious about performance without hurting Plurk
- Vertical timeline
-
FAST Searching! Filter Plurks by:
- Plurks that you have responded to
- Plurks that mention you
- Plurks that you have made
- Who posted the plurk
- The text contained in the plurk
- The text contained in the responses
- Favorite Plurks
- Favorite Plurkers
- Create advanced, custom, e-mail like filters for searching
- Much, much more!
-
The most Organized Plurking Ever!
- Never Hit 'Mark All As Read' Again!
- Create windows to hold your plurks using your custom searches
- Store a search as a filtering list for a new window
- See what's happening in the Plurks you care about at a glance
- Each window will tell you information pertaining only to that window
- Each window can be searched independantly of the other windows
- Window Layout is stored and remembered
- Never Miss a private plurk again!
- Private Plurks are contained in their own window
- Private Plurks and Responses have their own Alerts
- So much more!
- Long Plurks or Responses get separated into two messages automatically
- Innovative way of displaying Responses
- Responses shown with the newest response first
- Avatars with Every Message and Response
- Smart Alerts
- Popup notifications of new responses and plurks
- The ability to reply directly in those notifications so you can Plurk and Work!
- Clickable Qualifiers
- AutoCompleting @Usernames
- Keep a list of Favorite Plurks
- Keep a list of Favorite Plurkers
- Keep a list of favorite files/links
- Find more friends via Various Services
- Live statuses of your friends who are using Plurker
- Replurking with quoting and reference of original plurk automatically
- So much more!
the team
-
Keith is a passionate web and application developer. He's also the original visionary for plurker.
Check out Kieth on Plurk
-
Jacob is a first class Designer, with a capital ‘D’. He’s passionate about User Interface Design and cares about your experience while using Plurker. He runs his own company called Volo Creative.
Check out Jacob on Plurk
-
Ken's a Markup Ninja, and has a passion for CSS / Markup like no one you've ever met. A perfectionist by nature, he was driven
to start his own Slice and Dice XHTML company to deliver a higher standard of quality to the masses that is unprecedented in his field of work.
Check out Ken on Plurk
