New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
severe grammarly security issue
As there are quite some grammarly fans here and it occasionally came up in discussions:
Issue report said:The Grammarly chrome extension (approx ~22M users) exposes it's auth tokens to all websites, therefore any website can login to grammarly.com as you and access all your documents, history, logs, and all other data. I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations.
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1527&desc=2
Comments
Aaaand.... data cleared. Nothing particularly damaging just one less thing to answer questions about.
It is obvious that the world doesn't have the strength in practice to keep this shit under control, even if it's theoretically possible to do so. So this bug is another indication that we should just ban javascript from web browsers and web sites forever.
Signed
Fascinating .... (I can't help but notice that the bug report has misspelled "its" - seems like something for which to catch Grammarly helpful could be!)
As much as i dislike javascript but in this case i can't help but wonder how javascript is to blame for people voluntarily letting random third parties collect their data.
Nope, this isn't just-a-bug(TM) that could happen to anyone. This is a severe protocol problem which can only have 1 reason: being utterly careless about ones users/clients and having ones sole focus on pushing out the product and making money, no matter whether and how badly the customer herd is going to bleed.
brb, writing a node.js app to handle this (will render all pages server-side and push to browser as .svg ... or something)
You can always justify things in that way, and it's not necessarily wrong to do so, but it doesn't improve anyone's situation. It only assists in assigning blame.
"You bought the used car without checking this thing, it's your fault that it broke."
"You knew the crime rate there was high, it's your fault you got shot."
It's not necessarily wrong to blame someone for their situation, but going a step further is taking accountability for any role you might have played in paving the way for it. That's when you stop thinking about how dumb other people are and begin thinking about making the world around you a better place, when you take responsibility for something that isn't technically your responsibility but you can influence.
So if you were in the position to begin shifting away from javascript (as an example in this case) on systems that are commonly used by people who lack a certain degree of knowledge, you could have measurable impact, even if the problem isn't really your "fault."
Interesting point. Two remarks:
This is not the fault of javascript. It's a design and protocol problem. The kind that requires being either extremely careless or extremely clueless or both.
I don't know how much javascript code is hand made and how much is machine created but I do know that there are multiple possibilities to machine-create "good error-free" js code. To name but one example, Reason ML compiles ML (something very close to OcamL) to js.
Wow, @bsdguy approves of JavaScript -- I wouldn't have guessed this.
No, he doesn't. But neither do I stay quiet when javascript is accused unfairly.
I don't like it but I also see the segment where it's typically used. Plus and most importantly - and unlike e.g. php - there usually is no choice; for certain jobs one simply has to use js.
Whatever, in this case js is not the culprit (but quite likely a minor accomplice).
Pathetic.
I don't think I could call that level or carelessness or cluelessness "extreme", since it is pervasive, while "extreme" means far in excess of the ordinary. In the real world, except for maybe a few nerds like us, the sole concern of almost everybody at any time is to get their immediate problem solved right now. Consequences that emerge later aren't considered or handled until later. Sure, maybe philosophically it would be nice to change that reality, but it isn't going to happen. That's what I meant by "the world doesn't have enough strength in practice to keep this shit under control", i.e. to act in the way you wish that it would act.
That's why our best hope is a more compartmentalized and modular approach, starting with banning Javascript. Of course that doesn't solve the whole problem, but if you look at the history of web vulnerabilities over the past few years, it would have prevented an awful lot of them.
Well, making all customer documents and data virtually public is an extreme.
Plus, we are not talking about some exotic details like, say, a somewhat dumb prng, but about getting the fucking holy grail blown up. I dare to assume that even the average javascript developer knows and understands that "securing" a banks vault by putting a "do not enter" post-it on the open door is a fucking bloody cluster fuck approach - yet, that's pretty much what grammarly did. And, well noted, that's not a javascript or a programmer issue; that's a basic design issue.
As for javascript, well guys thanks so much for pushing me, grrrr. My sense of fairness forces me to do the unspeakable, to defend js.
Most modern js VMs are the result of lots of engineering and I happen to know that usually some security people were heard, too. So, properly designed and developed code isn't an issue, at least not a grave one.
The real disease you/we need to fight is a) careless (and often clueless) "web developers" and b) hand-coding javascript.
Maybe the issue is better understood with an indirectly related example: php. I've preached many times to at least use "hack", basically a somewhat-safer-php so php guys wouldn't even need to learn a new language as hack is designed to strongly feel like php (and to directly replace it). Response so far? Yawning.
That is the problem, not javascript which, unlike php, is not even an inherently bad language (anymore. what netscape originally hacked together, however, was a turd tumor).
Interesting read though:
https://lifehacker.com/5990769/why-do-chrome-extensions-need-to-access-all-my-data
@Clouvider Thought you might wanna know that :P
Lets buy one of these Amazon SMART LOCKS, they use the CLOUD!
So my Amazon packages get delivered into my flat, PREMIUM!
http://www.techradar.com/news/amazon-key-smart-lock-security-integrity-called-into-question-by-hack
Wait, I got another idea, lets use that services, that checks your documents for grammar errors, it stores them into the CLOUD!
CLOUD CLOUD CLOUD!
https://bugs.chromium.org/p/project-zero/issues/detail?id=1527&desc=2
It didn't come from an extreme of programming conduct for the industry sector that it came from. Rather, ordinary programming errors have a long-tailed distribution of possible consequences, and this particular consequence happened to be out in the tail. The fix is to not launch a globally ubiquitous deployment system (browsers with JS) that does such a shitty job containing those errors. But that would mean not letting the advertising industry take control of the internet, and I suppose that ship has already sailed.
Of course we learned in the early days of Java that the whole concept of sandboxing hostile code is pretty close to original sin. It's just too seductive a concept though. Being unable to resist it is another example of how the world lacks strength.
Jesus P Harold!
Data cleared, account deleted, thanks for the heads up.
That gets pretty close to nailing the real cause. In this case it was that a company - that just so happens to very aggressively advertise their shit - had zero interest in the safety of their users and 100% interest in pushing out advertisements and raking in profits.
In fact, looking at the issue one finds that grammarly's approach was "Let's just fake safety and security".
So would it be a solution for browsers to only allow javascript from approved and signed libraries, and block the rest?
(clueless and noobie question)
Or you do it on your own and use NoScript
Hey, its cheaper hiring that indian kid from fiverr than a real engineer and programmer.
This analogy isn't that good as i surely can't/don't assume random people being able to scruinitize anything for security. On the other hand would you buy a car knowing you don't have the slightest ability to check it's condition? Probably not but then that's what people do regarding to technology all the fucking time.
Well, yeah that's kinda what i do. Kinda since my line would be more like "You were ignorant to the crime rate there, it's your fault you got shot."
I didn't. Well, maybe in a way for the internet and technology as a whole but i've never subscribed to any of that social-post-privacy or put your-data-online stuff. The internet i liked and and advocated was pretty much dead or in the last stages of dying by the mid 00s.
I've told people over and over again to not put anything remotely sensible in "the cloud" and guess what? They don't listen. At best they overtly agree because it's edgy to be against data hoarding corporations but continue to do so because it is convenient. Besides all their friends do it too and who are you today anyways when you don't have a facebook profile? Encryption? Sounds neat but wait... does this mean i have to click 2 more buttons or even shudder read something about it? Forget it and that is when i am not outright dismissed and told that i am paranoid.
There's a tiny amount of people that get that technology is usualy designed for maximum profit and not to be their friend or enriching their life (be it because of shoddy braindead programming or because it's free and you are the product) so it really should be treated with caution. Even more so if you don't understand it.
This is a social problem and i have no illusion about being able to solve it let alone solving it with technology. Look at the last 1 or 2 generations. Their minds are basically fucked. They grew up with all this shit and to them having all your data available online is perfectly normal. Actually i can't blame them for going along with the spirit of the times and giving anyone who challenges their idea of normality a strange look even if i see it as a worrysome development that only seems to be getting worse and worse.
If i were sure (assuming this is an analogy as i don't see javascript as the culprit here). Problem is i am not. I am just some random disilussioned guy posting on LET.
End of bitter TL;DR wall of text.
I don't think so. For different reasons, i.a. that companies (like grammarly) would just buy their way in while e.g. open source developers would be discouraged.
But @lion (justifiably) indirectly mentioned another problem field: users who are careless (and often don't know better).
One useful thing might seem to be to have browsers check this or that in whatever way. The problem, however, is that they can not possibly check for all and everything.
This grammerly issue, for instance, might be perfectly valid javascript code. And even if browsers could somehow check everything and the kitchen sink - they can't and won't be able to for years to come - that in itself would create another problem because users don't want to wait hours for their plugins (and all the js sullied web sites!) to be checked and loaded.
Yes, please lets not create another walled garden.
Of Modules..
or customers' confidential data.
Someone needs to be taken out back & shot, that's a glaringly incompetent mistake.
In other news, mixpanel slurped your passwords :-) https://techcrunch.com/2018/02/05/mixpanel-passwords/