search

inmysocks / TW5-TWederation

Sharing data with tiddlywiki! TWederation!!
12 stars 3 forks source link

Security discussion #1

Open felixhayashi opened 8 years ago

felixhayashi commented 8 years ago

Hi @inmysocks,

since this is on GitHub now, I think it makes sense to discuss this here :) Sorry that the first issue I create is a security issue. Your TW5-TWederation approach is very creative and as said before has much potential, so I hope we can make this robust against any attacks.

Anyhow, here is my attack description and hopefully also @Jermolene can make some remarks or refute my argumentation:

Attack description

  1. Some new person enters the community and tells everybody "Hey, I have a cool plugin you guys need to install".
  2. Since many people in the community are (a) not sensitive to security issues or (b) blindly trust other people or (c) are not programmers, they are curious and install the plugin without checking the code.
    • Without people knowing it, the plugin is "evil" and overrides some plugin-tiddlers of Jed's federation plugin – more precisely, the part that listens for tiddler-bundle requests – and replaces it with its own version.
  3. After the user saved and restarted the wiki, the evil plugin now (instead of Jed's plugin) waits and listens for new bundle request to arrive.
  4. Once a request comes in, it creates a bundle that also contains itself or a minimized of version of itself as "evil" tiddler along with the other tiddlers in the bundle.
    • This evil tiddler essentially contains a javascript startup module.
    • (If #1573 is accepted and a $:/tags/StartupActions tag is available, this could also be used.)
  5. The wiki that requested the bundle unpacks the bundle in the wiki and also the evil tiddler.
  6. On next startup, the evil tiddler (which is a startup module) is loaded and step 3. takes place now. And so it goes on and on.

Without anybody noticing, it infects wiki after wiki by reproducing itself. What damage can it inflict? Steal data by sending data to a server using ajax; vandalism (deleting all tiddlers); botnet attacks etc.

Now @tobibeer said "trust your sources", but this is not about trust, because I trust some people in the community, but it is impossible to expect from all of them that they would not at some point make the tiny mistake to install a plugin that looks cool but which is in fact a virus.

Furthermore, the argument "that could also happen using import" is misleading: The import process is not as automated as the federation-bundle-request-sharing process is and it most certainly not as "connected" as federations are.

-Felix

inmysocks commented 8 years ago

I put this on github so people can point out problems like this, I would be disappointed if no one did.

Step 5 is the part that I think is the most pessimistic in your scenario and is also why the tiddlers need to be manually unbundled. The automated part pulls an inert tiddler containing only plaintext. This doesn't completely remove the problem but I don't think it does make the comparison between this and the normal tiddler import valid. I don't intend on ever allowing tiddlers to be automatically added to the receiving wiki.

It will always take user actions to import any sort of active content to a wiki so worm-type attacks like you describe are in the realm of social engineering. I would like to make it as hard as possible for people to import malicious code but I don't know what to do about this particular attack surface. I hope other people have some more input about how dangerous this could prove to be.

felixhayashi commented 8 years ago

Hi Jed,

Step 5 is the part that I think is the most pessimistic in your scenario and is also why the tiddlers need to be manually unbundled. The automated part pulls an inert tiddler containing only plaintext. This doesn't completely remove the problem but I don't think it does make the comparison between this and the normal tiddler import valid.

What I tried to get at was that with the federation mechanism, it is really "import 2.0", i.e. everything will be much easier and faster, so stuff – also evil – can spread faster. But I forgot that you do not automatically unbundle the imported tiddlers. That is already a big stopper for evil tiddlers :+1: In this case, yes, it is like classic "import" and the discussion is more a general discussion about security in TW in general which is not directly related to federations and your mechanism.

So I begin to think that in TW, some security barriers would be appropriate. For example on unix systems, programs cannot simply execute themselves with root access rights or modify system program files. This means they cannot come along and modify any critical piece of code that is executed by the system unless the user explicitly allowed it. In contrast in TW, every tiddler can be hijacked. For example, I could create a plugin that overrides the link widget and modify the dragStartEvent function in order to attach other stuff than what was intended to be dragged. Then I tell the community to dragndrop stuff from my wiki because it's cool and they should try it out. This way a virus could slowly replicate from wiki to wiki if it also affects their dragStartEvent function.

Maybe we should create a white hat hacker task force that tries to create a virus and see how it spreads to create proof of concepts so we can guard against that :) not sure what Jeremy would think of that though… In any case, I think it makes more sense to open a ticket regarding TW security at the TW repo.

-Felix