Two-step authentication: a necessity for secure webapps

Recently, my girlfriends Gmail account showed that it had been accessed from Poland, France, and the United States, all within a couple hours of each other. This breach of security was horrifying, and pointed out how easy it can be for someone to access another persons account.

We’re not sure how her password leaked. Maybe it was through a phishing site or some malware/key logger on her machine. But that was neither here nor there. The plain fact is that her account was granting access to unknown parties without her permission.

Not too long ago, Google announced 2-step verification for Gmail. With 2-step verification, the user logs in with their password, and then enters in a code that was obtained using their mobile phone. A friend of mine also uses a similar procedure for his World of Warcraft account.

I’ve signed up for 2-step authentication as well, and don’t mind the subtle inconvenience. If you are a Gmail user, you should try it out today.

Features like these make account security much stronger, and it is time that more secure websites start offering it (especially online banking).

XSS Prevention in GMail

Many popular web applications use JSON as their data interchange format. The format is very compact, easy for humans to read, and is based on a subset of JavaScript.

I’ll start by showing an example. Consider a website that wants its clients to query the server for the most recent 3 public messages. The client may send a GET query to the following address: https://mail.google.com/recent_messages/

The response can be written as follows:

var messages = [
   {"user": "foo", "m": "I like turtles", "t": 123423550},
   {"user": "bar", "m": "Turtle power!", "t": 1234543245},
   {"user": "baz", "m": "Cowabunga dude", "t": 1234567643}
];

When mail.google.com requests this JSON feed, it could then run eval() on the source code. Afterwards, it will have a messages object in global scope that it can reference.

This could work out good for GMail, but it can also allow other websites to make the same call. Modern web browsers will not allow asynchronous HTTP requests to cross domain boundaries, so it is easy to think that this is safe. However if the location is added as the src attribute of a script tag, then the browsers will load the content.

To work around this, GMail adds while(1); to the beginning of the JSON response.

When requesting JavaScript through a script tag’s src attribute, the DOM does not give access to modifying the content of the response. This keeps the while(1); present. If a client tries to eval() this JSON request, their browser will simply hang.

Pretty interesting, huh? There still are workarounds that can defeat this, such as setting up a server-side proxy that will make the request and strip the while(1).

If you’re looking for more details, Adobe Labs has a page on their website that covers Preventing the Execution of Unauthorized Script in JSON.

Anticipating the Google I/O 2011 announcement

Any day now there should be an announcement for the early bird registration of Google I/O 2011.  Last year I registered on January 17th, and from what I hear online the registration sold out very fast.

To be ready for the announcement, I have set up a Google Alert on the terms “google i/o 2011 registration”. Google Alerts is a system in which Google will email you when their crawler reaches a new item on the internet that matches the search terms you have supplied. This is pretty cool, but what if I’m away from my email when the release happens. How will I know then?

I know, I’ll have it send me a text message! I set up a special filter in Gmail that will forward these Google Alerts straight to my cell phone.

If your cell-phone provider is T-Mobile, you can send an email to <10-digit phone number>@tmomail.net and the email will be forwarded to the phone with that phone number. This combination will allow me to know very quickly when the registration opens.

Here is a list of special email addresses to use if you would like to do the same thing but aren’t using T-Mobile:

• Verizon:    10digitphonenumber@vtext.com
• AT&T:    10digitphonenumber@mobile.att.net
• Sprint:    10digitphonenumber@messaging.sprintpcs.com
• Nextel:    10digitphonenumber@messaging.nextel.com
• Cingular:    10digitphonenumber@mobile.mycingular.com
• Virgin Mobile:    10digitphonenumber@vmobl.com
• Alltel:    10digitphonenumber@alltelmessage.com OR message.alltel.com
• CellularOne:    10digitphonenumber@mobile.celloneusa.com
• Omnipoint:    10digitphonenumber@omnipointpcs.com
• Qwest:    10digitphonenumber@qwestmp.com

Source: http://www.googletutor.com/gmail-to-your-phone/