Create an Account
username: password:
 
  MemeStreams Logo

MemeStreams Discussion

search


This page contains all of the posts and discussion on MemeStreams referencing the following web page: MemeStreams click-throughs appearing on YouTube. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

MemeStreams click-throughs appearing on YouTube
by noteworthy at 8:20 pm EDT, Mar 12, 2007

If you go to YouTube and do a search for MemeStreams, you'll come up empty (at the moment, anyway).

But that's perhaps misleading, because there are references on the site.

This link will show you which YouTube pages are referencing MemeStreams. Here's a summary at the moment:

Jay Beale vs Dan Kaminsky - The Movie

1 clicks from

http://www.memestreams.net/search/?search=jay+beale

1 clicks from Jay Beale vs Dan Kaminsky

http://www.memestreams.net/users/abaddon/blogid9772273/

The Terrorism Index: Are We Winning?

(No "links" references; linkage is in Google's hypertext index)

Originally linked from Center for American Progress | The Terrorism Index

Ganja Kru - Super Sharp Shooter (1995)

12 clicks from MemeStreams | Information Warfare for The People!

http://www.memestreams.net/topics/

American soldier crying for their life in America war irak

3 clicks from YouTube - American soldier crying for their life in America war irak

http://www.memestreams.net/users/pnw/blogid321035/

Homeland Marketing Fiasco

1 clicks from RE: cbs4boston.com - Hoax Devices Creating Gridlock In Boston

http://www.memestreams.net/thread/bid28571/blogid302460

Autechre 'Gantz Graf'

5 clicks from MemeStreams | Information Warfare for The People!

http://www.memestreams.net/topics/

Four Months of News Good Evenings in 47 Seconds

1 clicks from

http://www.memestreams.net/memebox?mode=showmeme&oid=422632

Conceivably these referring URLs could contain 'private' information. At the moment, they include URLs things like this:

http://www.memestreams.net/memebox?mode=showmeme&oid=422632

That isn't really a secret, but it's not a URL you'd serve up to just anybody. (The message doesn't display if it's not yours.)

People should be aware that their web browser may publicize their MemeStreams search queries via the "referer" [sic] header, which may then be posted publicly by YouTube for others to see.

Search queries are frequently exposed via referral URLs, but it is perhaps less common to see them posted publicly like this.


 
RE: MemeStreams click-throughs appearing on YouTube
by Decius at 8:25 pm EDT, Mar 12, 2007

noteworthy wrote:

http://www.memestreams.net/memebox?mode=showmeme&oid=422632

That isn't really a secret, but it's not a URL you'd serve up to just anybody. (The message doesn't display if it's not yours.)

No, it doesn't, but other vulnerabilities could be employed to delete if from your memebox. You'd have to guess which user and entice them to click on a link. Unfortuantely there is no fast and easy way to resolve that, but thanks for pointing it out...


  
RE: MemeStreams click-throughs appearing on YouTube
by Acidus at 9:01 am EDT, Mar 13, 2007

Decius wrote:

noteworthy wrote:

http://www.memestreams.net/memebox?mode=showmeme&oid=422632

That isn't really a secret, but it's not a URL you'd serve up to just anybody. (The message doesn't display if it's not yours.)

No, it doesn't, but other vulnerabilities could be employed to delete if from your memebox. You'd have to guess which user and entice them to click on a link. Unfortuantely there is no fast and easy way to resolve that, but thanks for pointing it out...

As for the Deleting problem this is simply XSRF rearing its head again and actually you can fix it fairly easily: Always always always have a landing page!

Right off the bat, I should never be able visit a single URL and the result of me visiting that URL is that a meme gets deleted.

1- This violates RFC 2616 about HTTP's "safe" methods GET and HEAD vs. a POST.
2- This is why Google's Web Accelerator fucked some many websites (mainly people who learned some Ruby and Rails and suddenly thought they are web developers).
3- This makes you way vulnerable to XSRF. I just point the target of a Hyperlink or an IMG+SRC, etc, at the "delete" URL and watch the fun.

Every "delete this meme" link on should take you to a page that says "are you sure?" On that "are you sure" page, the server should place a random, time limited token in a hidden HTML field. The "yes, delete this" should be a button that causes a HTTP POST back to Memestreams with the oid of the meme and the random token. Only if the supplied token matches what the server pushed down should the meme deleted.

I can think of two special cases where an "Are you sure" landing page isn't practical for deleting meme on Memestreams:

1- Multiple select memes in the Memebox summary page to delete. The "delete" button already makes a POST, so you are safe there. Every time the summary page is generated a random token should a hidden HTML field should be downloaded. If you really want to be paranoid you can store on the server in your Sessions collection what oid's can be deleted with a token for that user. That way a single token for generated from a Memebox summary page cannot be used to delete memes that weren't shown on that summary page. Regardless, you can fix this.

2-When viewing a single meme. Again, same as before. Make "delete this meme" a button and style it to look nice. Send down a token whenever someone looks at an individual meme.


 
MemeStreams click-throughs appearing on YouTube
by Acidus at 9:15 am EDT, Mar 13, 2007

noteworthy wrote:
Conceivably these referring URLs could contain 'private' information. At the moment, they include URLs things like this:

http://www.memestreams.net/memebox?mode=showmeme&oid=422632

That isn't really a secret, but it's not a URL you'd serve up to just anybody. (The message doesn't display if it's not yours.)

People should be aware that their web browser may publicize their MemeStreams search queries via the "referer" [sic] header, which may then be posted publicly by YouTube for others to see.

Search queries are frequently exposed via referral URLs, but it is perhaps less common to see them posted publicly like this.

The number one rule of web security is "Don't trust what you get from the client." Rule number 1a (because its derived from rule 1) is "Never give the client anything that is a secret or private because you cannot trust them to keep it a secret."

Given rule 1a, why are you guys considering anything in the URL of a Memestreams link a secret? It's common to make this mistake. Google made the same mistake with the Zoom feature in Google Maps, allowing the Google Maps Zoom Hack.

Who cares about an oid? If your web app is secure, it doesn't matter. Does it matter that the Scarface DVD has a product code of 1234567 on Amazon? No, because everything bad I could do with that knowledge (uses XSRF to add my upcoming book to your shooping cart for example) is protected against.


 
 
Powered By Industrial Memetics