Even Siri Forgets to Sanitize Inputs From Time to Time…

Siri. It’s a bit terrifying, isn’t it? Part HAL from 2001: A Space Oddessy; part Data from Star Trek: The Next Generation. If you’re cool enough to have an iPhone ( which I’m not, obviously), it allows you to sift through the lolcats, rickrolls and pornography of the internet to find whatever we want. Consider it to be part Betty Suarez from Ugly Betty, meticulously scheduling your life and part Eye of Sauron, finding and retrieving information like an obedient Labrador bringing in the paper.

The problem with Siri is that it has the propensity to say some rather funny, often socially unacceptable things. Sort of like a drunk uncle at a wedding. From hurling profanities at random twelve year old boys, to telling you where to stash a corpse; It’s a never ending fountain of hilarity.

As it goes with these sort of things, various sites have sprung up allowing you to make your own (probably unfunny) fake Siri verbal exchange. The most popular of these is ifakesiri. The way they work is fairly simple:

  • The user submits a short exchange between Siri and a fictional iPhone user to the web application.
  • The web application then takes the input, formats it to appear as if it was on the Siri app on the iPhone.
  • The user is then redirected to a page with the fake image rendered by the web application.
  • The user can then share the image with his friends, choosing to hotlink the image, or redirect to the web application.

Now, what happens if you decide to put a little bit of Javascript in? Nothing special. Something like <script>alert(‘xss’);</script>, or something a bit more sophomoric…

I did, actually.

What we have here is what’s called in the business a ‘Cross Site Scripting’ vulnerability. Here, the web application has  taken an input without validating if the contents are safe or not.

Consider the web application to be like FedEx. Fedex doesn’t really validate the contents of your package, do they? If they did, they’d probably still throw it over your fence anyway, but that’s beside the point. Fedex takes your package (your input), and transports it to the recipient (reflects the input). It doesn’t verify if the CD you’re sending to your friend is the new Adele album or something good (see what I did there?).

And that therein is the problem. The application doesn’t prevent the user from whacking in some code, be it innocuous (like <script>alert(‘xss’);</script>) or something considerably more malevolent.

I’m going to finish on couple of points. Firstly, I informed the owner of the web application of the vulnerability six days before the post was published. More than enough time to fix the vulnerability. Secondly, all the above has been explained far more elegantly than myself by J4vv4d‘s very own mini-infosec cynic (redacted at the request of Reed Publications)  daughter.

Input validation

 

2012

New Years Resolutions are very often nothing more than platitudes, aren’t they? People show about as much commitment to them as a premiership footballer shows commitment to their wedding vows; Reneging on their agreements to themselves and their families in the same time it takes Ryan Giggs to go from the altar to the front page of some gaudy tabloid newspaper read by morons.

So, it’s no surprise that when someone promise to do something drastic (especially around January time), others are skeptical. Often, the new years resolutions are cliches within themselves; promising to drink less, work out more and perhaps phone home more often. We make token efforts and as February comes, we fall into a pit of lethargy and apathy. So, I’ll perfectly understand if you decide to take this blog post with a pinch of salt. Really, I will. The habits I want to break are a bit more abstract than merely going to the gym more often.

  • Be a better person.

If I will measure how successful 2012 will be, it will be by how I treat other people and meet my obligations towards them. If I measure the year passed by the same standards, then it was clearly an abject failure. Next year, I plan to leave people better than I found them. That means living up to my promises, and being a more sensitive, considerate person. And generally less of a dick.

To all the people I let down last year, I’m sorry. You know who you are.

  • Finish a damn project!

Like most people, I base my whole concept of self worth on what I can produce. This means that when I am unproductive, or when I fail to meet the high standards I set for myself, I often feel like crap. We all do, really. If people didn’t have the motivation to improve themselves or to create something, we would have been content to ride around in cars made of stone, and forgo the combustion engine (assuming that The Flinstones’ record of history is accurate).

I, like most people end up getting really good ideas (or at least ideas I perceive to be good), but fail to follow through due to apathy, distractions, laziness and other less than admirable traits. And then I wonder why I feel like crap.

I have set myself a couple of ambitious projects so far. How I accomplish this resolution will be measured by how I fare when it comes to the projects I am working on.

Which brings me onto resolution three…

  • Value my time more.

A friend of mine has a philosophy where he values his time at £100 an hour. As a result, he doesn’t really waste time on Reddit, Tumblr, Twitter and Facebook. He probably doesn’t know who Rebecca Black is. What is true is that he lives a very comfortable life in a very comfortable part of the world.

He didn’t win his place in the world on a game show (to borrow a phrase from the venerable Russell Brand). His enviable lifestyle is a product of years of hard graft, self-discipline and self improvement. Something I’ve never been able to accomplish as a result of wasting my time, attention and energy doing essentially nothing.

I currently sleep live in the same bedroom I slept in when I was 11. Do I think that if I had the same attitude displayed by my friend when I did my A-Levels and university exams my life would have turned out completely different? Without a doubt.

So, in conclusion, in 2012 I intend to be less of a dick, follow through on my projects and stop pissing away time. Sounds easy enough, right?