Tuesday, April 30, 2013

Phishing inside an iframe

Working on a new version of the Mendeley Web Importer bookmarklet recently, I took a look at a number of similar web importing tools (bookmarklets and extensions) out there, e.g. Pocket, Evernote, Instapaper.

Evernote is a great product. I am a massive fan, and their web clipper is great. However, I am not keen on their decision to enable login inside the bookmarklet iframe:

I have created this simple demo page to illustrate why. Try saving the page using the Evernote bookmarklet.

There is no clever cross domain iframe hackery involved. All I am doing is checking for the Evernote iframe, and setting its src attribute to point instead to my faked login page which can potentially be used to capture victims' logins - all with just a tiny bit of basic Javascript.

I do not want to come across as an arsehole highlighting this potential security issue. What I really want to do is to remind developers out there the importance of the browser's address bar. Internet security is built upon SSL, and when the https:// and the hostnames are hidden from the users, you can be putting your users at risk. Of course, like all phishing attacks, you cannot stop malicious attackers from faking your login page, but the point is, by avoiding such bad practice, you are making your users much less susceptible to such attacks.

Sunday, April 14, 2013

A Great Day in Harlem - an interactive version

I have always been fascinated by A Great Day in Harlem. Having recently put up a print at home, I wanted to find out who's who in the photo. I did some googling and thought why not create an interactive version. I found this excellent jQuery plugin for converting html image map into something that can actually look pretty sexy, and voila: check out http://www.seewah.com/a-great-day-in-harlem/!

Tuesday, April 09, 2013

Javascript Random List Splitter

We had to run an on-boarding email A/B test the other day by randomly splitting thousands of new signups into sub-lists to send out as different campaigns.

This prompted me to write this little JS tool for splitting delimited list (comma, tab, newline and semi-colon) back at home. Enjoy!

Note that the split does not guarantee that each list will receive the same number of items