You know, I was wondering about the speed of implementation for all these badges and widgets appearing on the Web. I thought to myself, was it really that easy to create a me-too fundraising widget? What was the barrier of entry? I decided to discuss the technical specifications of the technology. Now, I’m an old Internet hand. I still remember finger and gopher. I’ve held not one but two jobs with the title of “webmaster” (blast from the past, huh?). However, I wouldn’t call myself a security guru.
Unfortunately, I found out within minutes that it’s remarkably easy to reverse-engineer a reasonable facsimile of any widget and create a donate button that does NOT point to the widget host’s donation processing facilities. I’ve tried it with Network For Good’s badge and Firstgiving’s widget. You can’t easily do it with Chipin’s widget but it’s possible. All you need is a little time with Flash but the other fundraising widgets are much too easy to duplicate. See my evil widget to the right?
Why is it possible to build something that looks like a legitimate widget? The links that are given to bloggers, MySpace denizens, website owners, et al. are built on IFRAME tags that point back to the widget provider’s web site. For instance, this is Network For Good’s HTML snippet (I’ve taken out the surrounding greater than and less than symbols):
IFRAME SRC=”http://www.networkforgood.org/pca/PersonalCharityBadge.aspx?pcaid=100050″ width=”160″ scrolling=”no” height=”528″ frameborder=”0″ style=”height:528px;width:160px”
Ok, now go to the URL in the SRC attribute — “http://www.networkforgood.org/pca/PersonalCharityBadge.aspx?pcaid=100050″. Now that you’re there, click on the view source button in your browser. With some very minor tweaks, you can change the destination address of the donate button as well as other parts of the code and in almost no time at all, you too can host your own evil widget. If you take a look at the right sidebar, you will see that the donate button points toward “https://www.evil_domain.org”. Now save that code with the changed URLs in it and place it on your site and call it “test.html”. Now take that original IFRAME tag and change it to:
IFRAME SRC=”http://www.yoursite.com/test.html” width=”160″ scrolling=”no” height=”528″ frameborder=”0″ style=”height:528px;width:160px”
And voila! you have the widget. You can go to http://www.nonprofittechblog.org/test.html and then hit view source so you can see how it’s done. I made some changes to URLs and you can easily figure them out if you’ve got even the most elementary CSS chops.
This means that these widgets can be turned into phishing sites fairly easily. My suggestions to the widget builders should be that they re-architect the site in various ways.
- Switch to Flash. This will raise the barrier of entry somewhat for would-be phishers. This should keep them out for as long as it takes them to download the appropriate warez and get some Flash skills.
- Authenticate everyone who wants to use a badge on their site. When they register the use of the login, send them e-mail with an authentication key that has to be installed as part of the IFRAME src tag.
- SRC attribute in the IFRAME tag should not immediately return viewable code but instead look for some sort of authentication key that is part of step 2.
- Consider packaging the widget as a downloadable that people will have to install on their sites. Re-architect the widget to use its location URL as part of the authentication key.
- Switching the design of the widget every so often and asking people to double-check with the widget provider’s website for visual confirmation that the widgets match.
- Create an internal utility that sweeps through all the registered URLs and ensures that the donation code is what was originally sent out. If it’s Flash, ask the app to perform some sort of CRC check and perhaps some sort of built-in integrity check.
- Make sure that people know what the donate page is supposed to look like. In fact, make sure that people know what the proper donation URL is supposed to look like.
- Implement SSL on the IFRAME src and a “check our cert” button if people click for more info on the widget’s cause. Or just simply a redirect straight to an SSL-enabled page.
Nothing’s perfect with these solutions because the one thing that’s really scary will be the ability of phishers to recreate these widgets and point their donate buttons at illegitimate web sites. We know donors won’t necessarily be looking to check for proper URLs but the widget providers will have to give them the tools to do so.
(2 votes, average: 4 out of 5)
Loading ...
Great points, but I wonder if it’s the widgets themselves that are the issue here. Seems like even in a time long ago, pre-widget era (somewhere between Web 1.0 and Web 2.0) you could make basic HTML Web pages that looked just like that of an official non-profit, and run your phising campaign.
It seems to me that what could really be used here is a “Verified by XXX” icon, dynamically generated on donation pages, much like those Verisign buttons you get when you go to make a payment on an SSL page verified by Verisign. That way, no matter if someone is coming from a widget or a full Web site, when they land on the donation processing page they can be assured that the organization is legit.
Best,
Ryan
Agreed. It is still possible to create a fake site as part of your phishing campaign. The problem here is that people (including myself) immediately assume that these widgets are somehow safe despite the fact that they’re hosted on other people’s websites. So… the normal assumptions associated with fake phishing sites no longer apply. This is not a good thing. People will have to add yet another weapon to their phishing detection arsenal.