Archive for the ‘Development’ Category

Coding Oversight: Vodacom Security Breach

February 17, 2008

A simple coding oversight has left the Vodacom4me site vulnerable allowing access to customers private call records. The problem allows users to increment their customer number thereby accessing random customer accounts.

Here is a quick example of the problem. Say we have a call record page that displays a customer’s call records.
callrecords.php

The page accepts a customers id which it then uses to query the DB and present the returned data. i.e. callrecords.php?customerid=12345
The parameter can be accepted via a Post or a Get.

Now anyone with a little web knowledge can simply increment the id to say 12346 and thereby obtain the personal data of a random Vodacom customer.

Here is Vodacom’s response to the problem:

Vodacom spokesman Dot Field said that when the Sunday Times brought the matter to their attention, the vulnerable section of the website was “disabled with immediate effect”.

The weakness had made it possible to display random customer information from a “caching front end server” which briefly stored information. The main database of information was secure, she said.

I’m really not sure how they can say the main database remained secure. Another case of trying to throw technical terms in the air to try and cover up a blatant error.

Solution: Simple, ensure your developers have the correct security training and improve the QA process.

Advertisements

Yahoo Maps ditches Flex in favour of Ajax

December 18, 2007

Today Yahoo Maps turned off the the Flex 1.5 based maps application and launched a new version built upon AJAX.

Long story short, we have some work to do. We need to make Flex/Flash work with advertizing so that it can become the primary content not the ads. We need to get more developers trained on using Flash/Flex and especially ActionScript 3 so that teams and solutions can grow. We also need to highlight the API’s within Flash Player and make them easier to adopt. Many developers have no idea that these API’s even exist. As a medium, Flash Player still has some very large barriers to cross to see larger scale adoption and mainstream use.

From Yahoo Maps- From Flex 1.5 to AJAX

C# Pagination for Facebook iFrame Applications

December 18, 2007

The original PHP code is from Ascanio Colonna (Link)

facebook-pagination.txt

Massive href hacks MySpace

November 10, 2007

<a href=”badplace.com” style=”position: absolute; top:0; left: 0; height: 8000px; width:1000px”></a>

The above piece of HTML code inserted into several MySpaces pages allows the download and installion of malware on unexpecting user’s machines. With the href being so large, should the visitor mis-click any link, they will be redirected to the infected site. The user might not be suspicious on a media rich site such as MySpace, thinking that they need to install a codec to view a video etc.

For developers like myself, this introduces a problem. The rule is never to trust any user provided content and remove scripts, iframes etc. With this exploit, we will need to validate all external links too.

JavaScript Closures: An Example

November 2, 2007

Here is a common problem that will face any JavaScript developer sooner or later. The code below, as simple as it looks, introduces a bug that might not be picked up by the developer during unit testing.

   for(var i = 1; i<6; i++) {
        var div = document.getElementById(‘div’ + i);       
        div.onclick = doAlert(‘Al’ + i);       
    }

The problem is that all elements that have the event attached will alert the same value. The solution is to use JavaScript Closures illustrated in the code below.

   for(var i = 1; i<6; i++) {
        var div = document.getElementById(‘div’ + i);       
        div.onclick = doAlert(‘Al’ + i);       
    }

    function doAlert(what) {
        return function() {
            alert(what);
        }
    }

Ext 2.0 beta 1

October 19, 2007

The Ext team has recently announced the availability of version 2 of their popular framework. I’ve been an Ext developer for about 12 months now and am really excited by what version 2.0 promises.

Some cool Ext related links

.Mac Web Gallery: Great use of JavaScript

August 8, 2007

During Apple’s keynote yesterday in which they announced a new iMac, iLife 08, iWork 08, Airport Extreme and a new Mac mini, they also announced an update for .Mac.

The .Mac update included personal domains, increased storage and transfer limit and a Web Gallary.

The web gallery which can be published with one button from iPhoto gives a rich Web 2.0 experience and even works on IE on a PC. Developed using the Prototype and Scriptaculous JavaScript libraries, it introduces some really innovative ideas for displaying a large number of albums and photos.

The main page is a collection of album thumbnails that change as the user hovers over them. The powerful effect allows the user to quickly scan through the album’s photos without the need for a single click.

Once within an album, the photos are displayed in either a grid, mosaic, carousel or a slideshow. The user can quickly change the background colour, resize the photo thumbnails and subscribe to the galleries RSS feed. The carousel view is the same as the cover-flow album art display that iTunes and the new iPhone uses. Once the photo’s are fully loaded, its performance is really slick.

Congrats must go to the Apple developers that worked on the site. As a JavaScript developer, I’m really inspired by the quality of the work. My only criticism is that the main gallery JavaScript file weights in at an whopping 404 kb. A minor issue thou if you consider the prevalence of broadband connections.

Link to a sample Web Gallery

Update:
Steve Brewer has posted a great analysis of the JavaScript Code. He details how Apple left 128 lines of comments and how the images are used inefficiently. By combining the images into batches of 20 each being 160px by 3200px and then by using them as a positioned backgrounds, Steve’s test results show speed improvements of over 400%. Pretty Impressive!

Update:
Adam Houghton has done the seeminly impossible by creating a JavaScript version of coverflow. He has done great job using GWT.
Link to demo
Link to Adam’s blog announcing GWT Flow

Ext JS 1.1 Final

July 31, 2007

Update:
Version 1.1.1 has been released.  Here is a link to the changelog.

Congrats to the Ext JS team on the final 1.1 release of the popular JavaScript library Ext JS. Work on version 2.0 has already begun and promises to improve on an already brilliant framework. I hope all this hard work makes Jack and his team very wealthy.

Grab the latest bits here
Link to the Ext JS Blog entry

dates.gif

Wanted: Ajax Web Developers ($240k per year)

July 26, 2007

Careerbuilder.com has a position listed for a Ajax web developer that offers $240k per year. The only catch is that it is located in Iraq. That’s right, Iraq.

The department of Defense agency is looking for programmers to code and support field deployment and maintenance of a new database application which will be used by Army units in Iraq.

The positions appear to only be for US Citizens.

Link

64 Squares: Great use of jQuery

July 13, 2007

logo

My favorite JavaScript library, jQuery, has been used to great effect by 64 Squares. The site is a completely free, fully featured and easy to use online chess site with a clean and simple interface.

If you are a keen chess player and would like to see how far jQuery can be pushed give 64 Squares a visit.