TL;DR — Summary of the Problem

Using a text editor to modify content management system (CMS) configuration files (like wp-config.php) could expose your database password to the world. Several popular text editors like Vim and Emacs automatically create backup copies of the files you edit, giving them names like “wp-config.php~” and “#wp-config.php#”. If the text editor crashes or the SSH connection drops during editing, then the temporary backup files may not be cleaned up correctly. This means that the CMS config file (which contains the database password) could accidentally be made public to anyone who knows where to look.

Most servers, including the ubiquitous Apache, will happily serve the plaintext of .php~ and .php# files without passing them through the PHP preprocessor first, since they don’t have the .php file extension. Thus, your sensitive database credentials are just one GET request away from being accessed by a malicious party.

I wrote an automatic program, which I call CMSploit, to test for the prevalence of this issue across the wider web. I tested the top 200,000 websites (as ranked by Quantcast) and found that 0.11% of websites are vulnerable. If we eliminate non-CMS sites, and just look at CMS-powered websites, then we find that 0.77% of websites running a CMS have publicly-visible config files.

If you want all the gory details, then keep reading.

CMS Configuration Files

Most content management systems (CMSs) store sensitive settings like the database hostname, database name, database username, and database password in a file that sits in the root of the web directory.

Here is what a typical config file looks like:

<?php
define('DB_NAME', 'my_secret_database'); /** Name of WordPress database */
define('DB_USER', 'secret_agent_1'); /** MySQL database username */
define('DB_PASSWORD', 'you_will_never_guess_this'); /** MySQL database password */
define('DB_HOST', 'localhost'); /** MySQL hostname */

Here is a list of the various configuration files used by the most popular CMSs:

wp-config.php        # WordPress
config.php           # phpBB, ExpressionEngine
configuration.php    # Joomla
LocalSettings.php    # MediaWiki
mt-config.cgi        # Movable Type
settings.php         # Drupal

Despite the fact that these configuration files exist in a publicly accessible folder, the file contents are unviewable by a normal web user. Accessing the file directly does not work because the PHP interpreter handles all requests to .php files and wisely returns a blank page instead of the actual file contents. (Try accessing http://www.example.com/wp-config.php on your favorite WordPress blog to see what I mean. You should get a blank page back.)

As you can see, all the sensitive database information is located within <?php ?> tags. So, even if a malicious user were to access your config file directly, the PHP preprocessor would just run the PHP code, which defines some PHP global variables and then returns a blank page. Thus, no harm done, right?

Text Editors Make Temporary Files

Popular command line text editors like Vim, Emacs, Gedit, and Nano create several temporary backup files during the course of file editing. When you open a file for editing, a backup of the original file is saved. Depending on your text editor, in-progress file changes might also be saved to a swap file, so you can restore your unsaved changes in the event of a program crash, power outage, or connectivity issue.

If all goes well, when you’re done editing the file, the text editor deletes the temporary files so your filesystem doesn’t accumulate dozens of old temporary files. However, if your text editor crashes or you lose your connection, then the temporary files will still be on your filesystem.

Here are the temporary filenames used by the most popular text editors (assuming a file named wp-config.php):

  wp-config.php~        # Vim, Gedit
 #wp-config.php#       # Emacs
 wp-config.php.save    # Nano
 wp-config.php.swp     # Vim (swap file)
 wp-config.php.swo     # Vim (swap file)

Putting Two and Two Together

If a CMS user edits a config file on their live site (as opposed to editing it offline and uploading it over FTP), then there may be temporary files which contain their database password floating around in publicly-accessible folders.

If someone requests one of these temp files, then most servers will return the plaintext, skipping the PHP parser completely — yikes! By default, Apache assumes that only files which have a .php file extension are PHP files. If the file extension is not .php, Apache happily serves up the plaintext of the file.

How prevalent is this problem?

After noticing this security issue on one of my websites, I became curious to find out how common it is across the wider web. So, I wrote a program to test the top websites and get a rough idea of the prevalence of this problem. I call it CMSploit. The program is pretty simple — it issues GET requests to a site to test for the presence of temporary backup files with common CMS config filenames.

Here were my results:

• Tested the 216,391 most popular websites (according to Quantcast).
• Found 230 config files visible in root of site.

• Thus, 230 / 216391 = 0.11% of all websites are vulnerable.

• Latest stats say that about 13.8% of the top 10,000 websites run CMSs. If we just focus on CMS-powered websites, then the percentage of vulnerable sites is much higher:

• Thus, 230 / (216391 * 0.138) = 0.77% of websites running a CMS are vulnerable.

It’s shocking to think that 0.77% of websites (1 out of every 130) built with a CMS has its database password just sitting there in a public folder for all the world to see. Lots of these are popular, active websites. You would likely recognize many of them. Most of the sites were WordPress blogs, but there were a surprising number of e-commerce sites too, which is a little scary.

Responsible Disclosure

1. I contacted several of the highest profile sites to notify them of this security issue on their site. Most of them fixed the problem within a few days. All who replied to me were extremely grateful for bringing the issue to their attention. One of the companies even offered me a free license to their software.

2. I submitted a vulnerability report with US-CERT. Unfortunately, they replied with “This issue is not the type of vulnerability class we are inclined to coordinate or publish on.” I also plan to submit reports with Apache, PHP, WordPress, and Vim/Emacs.

3. After running the script and collecting my research statistics (published above), I securely wiped all the config files from my hard disk. I did not attempt to login with any of the database credentials I discovered. Therefore, it was not possible to determine what percentage of the database credentials were valid or what percentage of database servers were open to remote connections.

Lessons Learned

1. CMS users should never edit their “config.php” file (or other sensitive files) with a text editor that creates temporary backup files. The best policy is to avoid editing any sensitive files on a live website. Instead, copy the file locally, make your edits to it, and copy it back to the server.

2. It’s trivially easy to write a script to search for vulnerable sites. Bad people have probably been doing it for several years. In fact, this issue has even been discussed in other forums before. You should check your sites for “wp-config.php~” and related files. Make sure your sites are not vulnerable.

3. Someone should fix this. It’s not completely clear where responsibility lies, though. Is it Apache’s fault? Or PHP? Or vim/emacs? Should WordPress and other CMSs do something about it? There are many ways to fix this problem. I don’t particularly care how it gets fixed, as long as the default configuration of Apache + PHP + vim/emacs + WordPress don’t have this problem, I’ll be satisfied. In the meantime, using this very common web stack we have a scenario where ~1% of sites expose their passwords. This is bad.

4. In the short term, you should proactively protect all your websites. If you run WordPress, you can block access to any file containing the string “wp-config.php” with a .htaccess rule like this:

   <Files ~ “(^#.*#|~|\.sw[op])$”>
   Order allow,deny
   Deny from all
   </Files>

5. You should configure MySQL to deny remote connections to your database and connect to localhost instead. If you absolutely need remote access, then explicitly whitelist certain IPs and deny the rest. This way, if someone gets your database credentials, they’ll be unable to actually log in.

Final Thoughts

Even though the discovery that 0.77% of CMS-powered websites have public database passwords is already shocking, I’m pretty confident that you could easily double or triple the number of vulnerable sites with a better, more thorough script, and lots more time.

The script I wrote only tests the root of each site for CMS config files. However, lots of sites run CMSs in subfolders and subdomains like /blog/, /wiki/, /forums/, blog.mydomain.com, etc. Testing these places would dramatically increase the number of vulnerable sites detected.

I will not publish the source code of this script, because of the potential for harm. However, if you are a security researcher and are interested in reviewing the source code, send me an email.

This DEFCON talk is relevant: Pillaging distributed version control system repos for fun and profit.

Discussion on reddit.

Slides from a presentation I gave to the Stanford ACM about CMSploit:

Thanks to John Hiesey for reading a draft of this.

Related posts:

1. HOW TO: Spy on the Webcams of Your Website Visitors

Update 10/20/2011: Whoa, this story is everywhere!

• CNET
• Wired.com
• The Register
• Ars Technica
• Gizmodo
• PC World
• Yahoo! News
• ZDNet (and another)
• The Inquirer
• Computer World
• The H Security
• An interesting opinion piece: “The Sins of the Flash”

Update 10/20/2011: Adobe says they just posted a fix to the Settings Manager that should resolve the issue. I just tested it out, and indeed the issue appears to be fixed now. Congrats, Adobe, for the quick fix!

Update 12/21/2011: This attack made it into Jeremiah Grossman’s list of top web hacking techniques of 2011. It’s #26.

Update 1/10/2012: Another similar clickjacking attack was just discovered and fixed by Adobe.

Original post:

I discovered a vulnerability in Adobe Flash that allows any website to turn on your webcam and microphone without your knowledge or consent to spy on you.

It works in all versions of Adobe Flash that I tested. I’ve confirmed that it works in the Firefox and Safari for Mac browsers. Use one of those if you check out the live demo. There’s a weird CSS opacity bug in most other browsers (Chrome for Mac and most browsers on Windows/Linux).

Video demo of the attack:

Source code: Github

Clickjacking + Adobe Flash = Sad Times!

This attack works by using a neat variation of the normal clickjacking technique that spammers and other bad people are using in the wild right now. For the uninitiated:

Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
— Wikipedia

Combine clickjacking with the Adobe Flash Player Setting Manager page and you have a recipe for some sad times.

Background

I took a computer security class (Stanford’s CS 155) last quarter and really enjoyed this research paper on framebusting and clickjacking. After reading it, I checked out a few popular sites to see if it was possible to clickjack them. After a couple hours, I had no success.

But, then I stumbled upon this blog post entitled “Malicious camera spying using ClickJacking” where the author shows how to clickjack the Adobe Flash Settings Manager page to enable users’ webcams. He accomplishes this by putting the whole settings page into an iframe and making it invisible. Then, unsuspecting users play a little game and unwittingly enable their webcams. Adobe quickly added framebusting code to the Settings Manager page (why wasn’t it there in the first place?), and the attack stopped working.

But alas, the same attack is actually still possible.

How my attack works

Instead of iframing the whole settings page (which contains the framebusting code), I just iframe the settings SWF file. This let me bypass the framebusting JavaScript code, since we don’t load the whole page — just the remote .SWF file. I was really surprised to find out that this actually works!

I’ve seen a bunch of clickjacking attacks in the wild, but I’ve never seen any attacks where the attacker iframes a SWF file from a remote domain to clickjack it — let alone a .SWF file as important as one that controls access to your webcam and mic!

The problem here is the Flash Player Setting Manager, this inheritance from Macromedia might be the Flash Player security Achilles heel.

— Guy Aharonovsky

This is a screenshot of what the Settings Manager .SWF file looks like:

Live Demo

I built a quick proof-of-concept demo to show how it works.

Important: The demo is only guaranteed to work in Firefox and Safari for Mac. Right now, it doesn’t work in most other browsers since you can’t change the opacity or the z-index of an iframed swf file. However, I discovered a workaround that involves multiple iframes, but haven’t implemented it yet since it’s a bit complicated. But, I’m pretty sure that it’s possible to make it work everywhere, given enough time.

View the Demo.

The code is also available on Github.

I should also mention that my demo builds heavily off of the ideas and work done by the dude who runs this blog, Guy Aharonovsky.

Also: If you’re a bit leery about running the demo… I promise I’m not saving the webcam video. I just display it back to you so you can see that it works. However, if an attacker used this technique, they would almost certainly NOT show you any sign that your cam is on. You’re only hope of finding out that something’s up is your webcam indicator light (if you have one).

Why release this?

I reported this vulnerability to Adobe a few weeks ago through the Stanford Security Lab. It’s been a few weeks and I haven’t heard anything from Adobe yet. I think it’s worth sharing it with the world now, so that Adobe pays attention and fixes it more quickly.

Although every browser and OS is theoretically susceptible to this attack, the process to activate the webcam requires multiple highly targeted clicks, which is difficult for an attacker to pull off. I’m not sure how useful this technique would actually be in the wild, but I hope that Adobe fixes it soon so we don’t have to find out.

Further reading

If you want to learn more about clickjacking and framebusting, you should read the excellent Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites (PDF) paper by Gustav Rydstedt, Elie Bursztein, Dan Boneh, and Collin Jackson.

Related posts:

1. 1% of CMS-Powered Sites Expose Their Database Passwords

To me, it’s a giant lesson about the power of programming for the Web. It’s also proof that engaging with the media through blogging, Twitter, and Quora can create a meaningful public discussion and even help you shape a news story.

New York Magazine – “Bubble Boys”

September 11, 2012. Out in Silicon Valley, the last bastion of full employment, the Steve Jobs and Mark Zuckerbergs of the future are staying up all night writing code in dorms.

CNN News – “Hiring Spree in Silicon Valley”

May 18, 2011. Companies are waging fierce competition to hire the best talent. CNN’s Dan Simon reports. Watch the video:

Older news stories

And, for completeness, here are a few older news stories that I’ve shared on Twitter/Facebook, but haven’t blogged about before now.

Sacramento Magazine – 2010 Person of the Year

January 2011. When Internet behemoth Google rolled out its “instant search” tool in early September, Feross Aboukhadijeh, 20, of El Dorado Hills set himself a goal: to create the same sort of function for YouTube and complete it within the hour.

All Things Digital – “Instant.fm Launches”

April 22, 2011. The idea is simple: drag a playlist from someplace, iTunes included, and Instant.fm queues up YouTube videos of the songs in the list, playing them in the playlist’s order. Read the story or watch the video:

And a few more…

• The Next Web – “Instant.fm is a super slick way to share playlists of music”
• Configurar Equipos – YouTube (in Spanish)

That’s all for now!

I love Mozilla. We’re definitely doing this again.

Related posts:

1. Stanford iPhone App Final Project – iBoard
2. Is Google an Open Redirector?

The Price of Education

My one reservation about the event is that they are charging high school students $125 to attend. This seems excessive to me. For comparison, the upcoming TEDx Berkeley conference only costs $100 to attend, and that’s an internationally recognized event with dozens of international speakers. ASES says that all proceeds from the event will be used to send some Stanford students to a conference in Tokyo.

If my club, Stanford ACM, were to host such an event it would most definitely be free. If the goal is to expose interested high school students to entrepreneurship, there is no reason to charge more than a nominal entrance fee ($20 max) to defray the costs of food/drinks and room reservations. The current price places a high burden on students from poor backgrounds. These types of outreach and education events should always be free to students (especially those who can’t afford the $125 fee).

The Internet Saves the Day

I encouraged ASES to videotape the entire event and post it online for free, after the conclusion of the event. Fortunately, they were already planning to do that, which is encouraging. This way they get their fundraising and all students have a chance to access the material.

I will post a copy of the video here on Feross.org after the conclusion of the event, so you can check it out if you’re interested (I have a surprising number of high school readers).

My Last ASES Talk

This isn’t the first time I’ve given a talk for ASES. In October, I gave a talk to Stanford students about YouTube Instant. Interestingly, the event was free.

Nonetheless, I’m really excited for the speaker panel on February 26th.

They want to know what they should be doing to prepare for college applications – what clubs they should join, what sports they should play, and what activities they should get involved in. They want to learn the “secrets” that will make themselves appealing to admissions officers.

There is No Silver Bullet

The truth is that there are no “secrets” that will get you instantly accepted at your dream college, be it Stanford or any other college. The college admissions process is really, really random. I have friends who got into incredibly good schools but were rejected from much “easier” schools. College admissions depend on lots of details and circumstances that are just really out of your control.

However, all is not lost. I have a few tips (they are really just patterns that I’ve noticed) that should increase your chances of getting accepted at Stanford.

Stanford Admission Tips

It’s hard to say exactly what Stanford is looking for, but I’ve noticed that most Stanford students (especially techies and engineers) have several traits in common.

1. Love of learning. Every Stanford student I know loves learning for the sake of learning. That is, they want to learn stuff not to make money, not to get a good job, not to impress teachers, but because they genuinely enjoy learning new things.
2. Curiosity. If you don’t understand something, do you just accept it and move on? Or do you insist on finding out the answer, researching it online, and trying to teach yourself if necessary?
3. Risk-taking and Entrepreneurial. Have you ever attempted something which seemed impossible? Or, have you put a substantial amount of time into a personal project that had a significant chance of failing? Even if your project ultimately fails, the fact that you frequently take risks and try to do stuff that’s innovative puts you in a whole different category than most people.
4. Independent. Stanford students are generally independent thinkers. They read broadly and form their own opinions about politics, philosophy, and life. They aren’t bothered when their opinion differs from the majority’s. In fact, they often go out of their way to learn about the other sides’ arguments.
5. Passionate. What do you love to do? When I was in middle school, I wanted to know how websites and the Internet worked. So, I decided to teach myself. I learned by reading articles online, skimming chapters from programming books at Borders whenever my parents visited the store, and through trial-and-error. I got hooked. I’ve been obsessed with the Internet ever since. You should find a passion and become an expert at it.
6. Highly motivated. It’s not enough to “want to change the world” or “bring about world peace” or whatever other lofty goals you can come up with. You have to actually do stuff. What have you done so far? If you’re an engineer, you should build stuff — websites, games, tech demos — on your own or at school.
7. Athletic. You need to play sports. It’s okay if you’re not the next Michael Jordan or Steve Prefontaine. As long as you’re committed, passionate, and improving your game (or track times), then you’re a student-athlete, which means you can balance multiple commitments and manage your time well.

You can make yourself stand out by trying to develop these personality characteristics, or if you already have them, by emphasizing them in your application.

Essay Tips

The best advice I can give you about essays is to let your voice shine through in the essay. Don’t let your parents, teachers, or whoever else you get to proofread your essay edit out your personality. You want to be a little bit risky and edgy. Don’t try to be overly formal and academic.

Remember to make it interesting. You need to tell a story about your life. It should be compelling and genuine. The admissions officers need to feel like you are a real person that they would want to meet and even hang out with.

In my own essay, I talked about how I’ve always been fascinated by technology and computers ever since I was a kid. I give a lot of credit to my parents and talk a little bit about my childhood. I also talked about my goals and dreams.

Be careful here, though. If you spend too much time talking about your goals and dreams without justifying how you’ve already started taking steps to achieve these dreams, then you’ll seem like you’re all talk. For example, I wouldn’t say “I want to end world hunger and poverty” unless you’ve already done stuff in high school that works towards achieving these goals. If you’ve got the goods to back what you’re saying, then you’re in good shape.

What are my chances?

Lots of people I know thought that it would be impossible to get into Stanford — that they were not good enough, or that they wouldn’t be able to afford the tuition even if they got in, or lots of other excuses that they invented. So they didn’t apply.

It’s true, Stanford is really difficult to get into (the latest stats say that 7.2% of applicants get accepted – it was 9.5% when I applied). But that’s why it’s worth trying for!

You Miss 100% of the Shots You Don’t Take

Like I said before, the admissions process is really, really random. It’s worth applying just because of that fact alone. You’ll never know if you don’t apply.

In addition, a lot of the other issues like unaffordable tuition isn’t an issue anymore, because financial aid is so great these days. Stanford meets 100% of your “calculated need” — which is really awesome. 87% of Stanford students receive some type of financial aid.

Long story short, definitely apply.

Conclusion

So that’s it. Those are my Stanford admissions tips and other assorted ramblings. I wish you the best of luck in the admissions process. I know how scary this time can be, but it all works out in the end. Good luck!

Now that I’ve written this up, I’ll finally have a page to point people at when they ask for Stanford tips.

After the Google Instant announcement on Wednesday, I decided to build YouTube Instant, a site that lets you search across the vast YouTube video database in real-time.

Visit YouTube Instant

It started out as a bet with my roommate, Jake Becker. I bet him I could build real-time YouTube search in less than an hour. Sadly, I lost the bet – It took me 3 hours to finish it, and another couple hours to polish the user interface into what you see now at YTInstant.com. But, I’m happy with the result.

Before going to sleep on Thursday night, I posted this status update to my 700 Facebook friends:

After updating my status, I went to sleep. I awoke Friday morning to an inbox full of people congratulating me on YouTube Instant, sending me links to press coverage, and sharing it by the thousands on Twitter and Facebook.

The Washington Post called to do an interview, Venture Beat put my picture on their front page, and Mashable wrote a front page story …twice. YouTube Instant also made it to the All Things Digital front page and the Hacker News home page three times.

YouTube CEO Chad Hurley even asked me if I wanted a job …over Twitter!

The Media Frenzy

I can’t believe how much press my simple little tech demo has received! I’m both proud and humbled at the same time.

Here’s a list of the media outlets that have covered YouTube Instant so far:

Update [1/17/2012]: Here is a list of even more media articles that I never got a chance to look at or post here.

Needless to say, YouTube Instant has gone viral. Without pausing to worry about what caused this magical event to transpire, I set about upgrading my under-powered server to a much beefier configuration capable of handling the Slashdot effect. For most of Friday morning, my server was visibly struggling to serve the flood of web traffic.

After several nerve-racking minutes with the site offline, I finished the upgrade and got the site back online. I had to keep tweaking the Apache server settings on the live site to keep memory usage from spiking and locking up the server. Things eventually stabilized.

My Network Traffic - Last 30 Days

I built YouTube Instant using a combination of the YouTube API and YouTube search suggestions. I initially ran into some issues when Google automatically blocked my server for making too many repeated requests.

However, it took me 5 minutes to rewrite the site to query YouTube directly for search suggestions, eliminating the round-trip to my server. Now, all the magic happens in each visitor’s browser, so it’s faster than ever. (Thanks to Jake Becker for reminding me that <script> tags don’t have cross-domain restrictions!)

Thanks so much!

Thank you everyone for all your nice comments, helpful suggestions, and for spreading the word about YouTube Instant. I’m going to work hard over the coming days to make YouTube instant more full-featured – and even faster than it is now. Stay tuned!

Update: I met Chad Hurley (YouTube CEO) at YouTube HQ!

Update: YouTube Instant received 1 million visitors in 10 days!

Tweet

Related posts:

1. Psh… Google Instant? I built YouTube Instant.
2. YouTube Instant Around the World

Check it out: YouTube Instant.

Related posts:

1. YouTube Instant. The last two days…
2. YouTube Instant Shortlisted for Best API Use in .Net Magazine Awards

Dear Members of the Cult of Done,

I present to you a manifesto of done. This was written in collaboration with Kio Stark in 20 minutes because we only had 20 minutes to get it done.

The Cult of Done Manifesto

1. There are three states of being. Not knowing, action and completion.
2. Accept that everything is a draft. It helps to get it done.
3. There is no editing stage.
4. Pretending you know what you’re doing is almost the same as knowing what you are doing, so just accept that you know what you’re doing even if you don’t and do it.
5. Banish procrastination. If you wait more than a week to get an idea done, abandon it.
6. The point of being done is not to finish but to get other things done.
7. Once you’re done you can throw it away.
8. Laugh at perfection. It’s boring and keeps you from being done.
9. People without dirty hands are wrong. Doing something makes you right.
10. Failure counts as done. So do mistakes.
11. Destruction is a variant of done.
12. If you have an idea and publish it on the internet, that counts as a ghost of done.
13. Done is the engine of more.

from Bre Pettis – The Cult of Done. Via Soleio.

(Interesting fact: I wrote the entire final draft of this 25-page paper in less than 24 hours. Coding up the proof-of-concept attack page demo took two days, and gathering information took several weeks, but I finished the actual writing in less than one full day.)

Related posts:

1. HOW TO: Spy on the Webcams of Your Website Visitors