McAf.ee is Stupid
McAfee just announced that they are releasing a URL shortener, and it's currently in beta (well it actually says "This Site is a Beta."). Honestly, I'm still trying to figure out what it's actually useful for, and not coming up with much. Did somebody decide it was needed? Did somebody think it would be helpful? Is this just McAfee swinging wildly in the dark at things that vaguely sound security related in order to bloat their product portfolio and brand?
Yeah, that might be it.
At any rate, there's a few issues I noticed with a quick inspection.
The server doesn't appear to be prefetching the URL, so it can't have any idea whether the URL is dangerous or not. Presumably it's checking the URL against the (admittedly impressive) database of sites that they use for SiteAdvisor, another McAfee product.
It does have some basic Javascript/XSS filtering, but it's only effective against specific vectors- it filters out some HTML characters (like < and >), but not other XSS vectors:
Most URLs will be placed inside an iframe with some basic information about the target URL. If the URL is deemed harmless (or "green"), the user's browser can be set to bypass the iframe and go directly to the page. Presumably this is just a convenience-- there's no way this could actually provide any browser security, but if a way to attack this iframe were found, or if the iframe needed to be disabled, an attacker could turn that feature on/off via CSRF:
The only real information McAfee provides somebody visiting a shortened URL is in the iframe, where it says what kind of website they think you're visiting (in the case of skeptikal.org, it's "Software/Hardware Blogs/Wiki"). Interestingly, if the link I provide throws a 302 or other redirect, it still thinks you're looking at my site. Since they're not prefetching the page, they have no idea whether I'm redirecting you elsewhere, or attacking you directly. If users are screening pages using McAf.ee, it's trivial to bait-and-switch them onto another site.
The question I'm still asking is "who thought this would be useful?" It's really not. First off, they claim to let people create "safe short URLs." That's not even close to true, based on what I've seen. Second, the whole thing is pointless unless users refuse to click on any other shortened URLs-- a ridiculous proposition to begin with. Attackers will just use a different URL shortener. Users will keep clicking on anything, and it's not the URL shortener's job to keep them safe at any rate. Not to say that McAf.ee directly causes security issues, but it doesn't appear to solve any security issues either.
/sigh
Yeah, that might be it.
At any rate, there's a few issues I noticed with a quick inspection.
The server doesn't appear to be prefetching the URL, so it can't have any idea whether the URL is dangerous or not. Presumably it's checking the URL against the (admittedly impressive) database of sites that they use for SiteAdvisor, another McAfee product.
It does have some basic Javascript/XSS filtering, but it's only effective against specific vectors- it filters out some HTML characters (like < and >), but not other XSS vectors:
" onload=alert(1)Most URLs will be placed inside an iframe with some basic information about the target URL. If the URL is deemed harmless (or "green"), the user's browser can be set to bypass the iframe and go directly to the page. Presumably this is just a convenience-- there's no way this could actually provide any browser security, but if a way to attack this iframe were found, or if the iframe needed to be disabled, an attacker could turn that feature on/off via CSRF:
http://mcaf.ee/api/config?bypass_frames=1
http://mcaf.ee/api/config?bypass_frames=0The only real information McAfee provides somebody visiting a shortened URL is in the iframe, where it says what kind of website they think you're visiting (in the case of skeptikal.org, it's "Software/Hardware Blogs/Wiki"). Interestingly, if the link I provide throws a 302 or other redirect, it still thinks you're looking at my site. Since they're not prefetching the page, they have no idea whether I'm redirecting you elsewhere, or attacking you directly. If users are screening pages using McAf.ee, it's trivial to bait-and-switch them onto another site.
The question I'm still asking is "who thought this would be useful?" It's really not. First off, they claim to let people create "safe short URLs." That's not even close to true, based on what I've seen. Second, the whole thing is pointless unless users refuse to click on any other shortened URLs-- a ridiculous proposition to begin with. Attackers will just use a different URL shortener. Users will keep clicking on anything, and it's not the URL shortener's job to keep them safe at any rate. Not to say that McAf.ee directly causes security issues, but it doesn't appear to solve any security issues either.
/sigh
Labels: McAfee, URL Shortening
posted by mckt at
10:23 AM
1 Comments:
For us old enough to remember the vx scene before certain people turned it into mass money making corporations - The guy behind McAfee (and look back at the original txt from groups vx groups like phalcom/skism) who was disliked because he 'apparently' took open source code and just renamed it - then set the standard for charging for a product based on the idealism of fear. John Mcafee must be laughing all the way to bank after merging with Intel!
AS for Sysmantec = who bought up Norton; Well what can you say! Peter Norton is quoted on record as saying that virus or viri are not a threat but later followed in the heels of mcafee. Sarah Gordon (IBM) is the only one i have any respect for.
Still if you have a good idea to make money well done!
Just tell the media we have a problem (I remember rootkits being around for decades on Unix) and then we can expect the criminals to use predesigned malware and you (the security guys) to update your software adding an extra £10 each year. And yes I know theres freeware.
Just to vent my spleen further:
Can Graham Cluely (Sophos) not have his name is mentioned in every IT security mentioned - vanity is also a crime.
I feel better now lol
By
Anonymous, At
September 21, 2010 5:32 PM
Post a Comment
Subscribe to Post Comments [Atom]
<< Home