Tuesday, July 21, 2009

steekR security steenkS

My RSS reader continues to provide me subject matter for analysis, and the recent F-Secure purchase of steekR, “Your Secured Online Space”, was no exception.
The purchase was described by El Reg as follows:

F-Secure grabs online storage firm in cloud security push
Steek's technology is designed to allow users to upload data from either PCs or mobile phones. Bordeaux-based Steek already partners with mobile telcos (including Virgin Media, SFR in France and SingTel), a factor which F-Secure hopes will increase its ability to sell Software as a Service (SaaS) technology packages through operators.

Oh boy, here we go again.
I want to create a new line of Bobbleheads for Cloud and SaaS. They’ll talk as well, bobbling and blathering the latest buzz words:
“We’ll give you the best ROI in the cloud!”
“Our SaaS offering relieves you of any responsibility, we’ll do it all!”
I digress.
I understand the business model, and F-Secure’s motives for the purchase; it’s hard to find fault there.
But as I’ve indicated time and time again, when you purchase or integrate another vendor’s offerings, you immediately inherit their shortcomings as well.

I propose a blamestorming session. I’d like to start with steekR.
steekR suffers from persistent cross-site scripting (XSS) flaws.
They further suffer from a complete inability to respond to responsible disclosures (multiple attempts over two weeks).
Thus, I struggle with their “Your Secured Online Space” claim. As in…not so much.
Imagine this scenario:
1) An attacker creates a steekR account.
2) The attacker embeds malicious JavaScript.
3) The attacker then shares steekR content in a manner that exposes it to any victim who errantly clicks through.
4) You receive email notification of the share and given your use of steekR (you and 2,405,935 other customers), you click the URL.
5) Your browser is directed to a steekR share with a malware-laden IFRAME embedded.
6) You’re pwned.

I'll walk you through it.

Here's the email...


Here's the URL in the email (no, I'm not trying to pwn you):
http://www.steekr.com/n/50-2/share/LNK32784a66232b7baaf/
Click My Documents in the left pane and you'll see the IFRAME in the right pane when you mouse over the folder.

Here's the result when you click said URL...


That IFRAME could easily be something nasty.
Similar scenarios can easily lead to data breach, account compromise; pick your poison.
Lest you forget, persistent XSS issues are far uglier than their reflected kin.

Lesson for companies like F-Secure on the venture integration path:
Review the acquisitions security-related practices, or lack thereof, and conduct a thorough assessment of the product driving the decision to purchase them.

Lesson for users of SaaS offerings:
Assume no privacy, and no guarantee of security. A trusted resource may not be trustworthy.

Steek and you might stumble. ;-)

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

1 comment:

Rafal Los said...

@Russ... at the risk of being a fanboi... I can only sum up my reaction as..

..."D'oh!"

Moving blog to HolisticInfoSec.io

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...