[tahoe-dev] report of an unsuccessful assault on our fortress

Zooko O'Whielacronx zooko at zooko.com
Mon Jul 26 03:54:56 UTC 2010


Wade Simmons told me that he spent several hours trying to exploit
Tahoe-LAFS in order to create and win the Fourth "I Hacked
Tahoe-LAFS!" T-Shirt, but that he couldn't figure out how to do it.

I work with Wade at SimpleGeo and I have a high opinion of his
engineering skill.

He explored what seemed to be the most promising approach, ticket
#615. The scenario is that you have access to read a confidential
file, or you have access to write to a file which you don't want the
attacker to be able to overwrite, and you are using this access
through your web browser which is pointed at http://localhost:3456 to
connect to your tahoe-lafs web gateway. Then you load an
HTML+JavaScript file which was written by the attacker in another tab
of the same browser, or even in the same tab in which your sensitive
file was previously displayed.

The attacker wins if he (the human who wrote the HTML+JavaScript page)
can learn the contents of your confidential file or can cause the
contents of your sensitive file to be overwritten.

I had thought, based on what a few web security experts had told me,
that it would be easy for the attacker to take advantage of this
situation, but Wade reported that he was unable to do it. He was using
Safari 5 for testing.

Well! This is encouraging! Perhaps the browser's regrettable "Same
Origin Policy" has not completely neutered Tahoe-LAFS's defenses
against malicious JavaScript loaded from the same origin and running
in a separate tab of the same browser. Wade reported that he was
always stymied by the fact that the page he was trying to get access
to had an unguessable URL. I told him that the web security experts
had told me that it is possible for the malicious JavaScript to learn
the URL of the other page, but he reported that he was unable to do
so.

Great! That means that *you* oh gentle reader, now have your chance to
cause the Fourth Ever "I Hacked Tahoe-LAFS!" T-Shirt to come into
existence and be yours!

Regards,

Zooko



More information about the tahoe-dev mailing list