Explore Murray's entire Computer section or visit his Homepage (cool things to be found there!)

 

 
iBlog Security Issues
 

Apple has just offered a free copy of iBlog by Lifli Software to its .Mac subscribers. iBlog has a nice interface that allows you to create very functional and attractive web journals, and it makes it possible to post these journals either to your .Mac account or to a local directory (where you can copy it to your own web site).

One of the features of iBlog is the ability to have a "private" web log. Here you create a username/password combination, and the published web site requires a login process before you can view the contents. It's a nice feature if you would like a journal that just a few close friends can view. I was considering it for a journal that I would probably just keep to myself where I could express my candid thoughts about life, friends, and things I didn't want to "get out". But I'm paranoid, so before implementing this thing, I wanted to see how iBlog implemented its security.

iBlog Security Mechanism - Javascript

Private blogs have an authentication page called "Login.html" that requires you to type in a username/password combination. If you type the right combo, it sets a cookie to reflect that you have authenticated and forwards you to the root of the private blog called "index.html". The index.html page uses JavaScript to check to see if the authentication cookie was set, and if not it displays an error message and then sends you back to Login.html.

So what happens if you turn off Javascript in your browser? If you know the full path to the index.html file, you can access the private blog as though you had properly authenticated yourself! An additional vulnerability, the source code in the Login.html file spells out what the values for the authentication cookie should be so you can set your own cookie if you know how. (I haven't tried.)

Security by Obscurity - Not

One could have a fairly secure system if the private blog were located in an unknown subdirectory whose name was hash-derived from the actual username/password login. If an unwelcome guest was unable to intuit the location of the index.html file, this shoddy security would not be vulnerable. But alas, iBlog puts the index.html file in the exact same path as the Login.html.

Vulnerable Sites Found via Google

The final straw is that Google (and any web crawler) is able to lead you straight to these insecure web logs. The Login.html page has specific text (including the title of "Authentication Check") and it doesn't set any "robot" meta tags that would prevent the page from getting indexed. Thus, if you type in the right criteria, Google will give you a handful of sites that you can break into instantly. (Just turn off Javascript, replace Login.html with index.html and voila!)

Very Fixable Issues

What's remarkable is how easy these problems would be to fix. The Login.html could have a simple "robots" meta tag asking that the page not be indexed. The Login.html page could derive a hash from the username/password combo and use that as a subdirectory under which the rest of the blog could be hidden. Until that is fixed, there are two ways to protect yourself if you still want to use a private iBlog:

  1. Use some other server mechanism to secure the private blog's directory. This is doable only if you have control over your web server.
  2. Do NOT create any links to the Login.html page. If a web crawler finds the page, it'll lead bad people straight to you. If the Login.html page itself is in an obscure location, you are still nominally protected.

Setting Server-side security with .Mac HomePage

Thanks to an anonymous poster on the .Mac discussion group, I've learned that you can set password protection on portions of your .Mac HomePage account. The instructions are here. Basically you tell .Mac you want to define a new "site" (which means a new subdirectory under your Sites folder on your iDisk) and give it some appropriate name. Password protect that directory, and then from within iBlog (under Preferences) you specificy which directory in your .Mac account you want to set aside for iBlog to publish the web log. Not hard to do.

Quick errata: it appears you cannot setup .Mac to implement server-side security. Or you can, but only for pages created by .Mac's "online homepage builder" software and not a custom app like iBlog. If you create a "site" as I'd suggested earlier, you are not allowed to access the folder yourself. You can only add pages via the .Mac web interface. So scratch that. Thanks for Jon Taylor for keeping me honest there.

Beyond that, I actually find iBlog to be a very nice little product. Hopefully they'll patch up these problems quickly.


Murray is an actor/filmmaker/writer/computer geek in Los Angeles, CA. He's become a fanatical OS X user since its early prerelease days. Before that he worked hard on "that new-fangled thing called Linux". Perhaps the biggest feather in his "Macintosh cap" is being co-author of the Wrox Press book, "Early Adopter Mac OS X Java".

 
 

written materials and original images copyright © 2003 by Murray Todd Williams

site issues, problems or corrections? contact webmaster@murraywilliams.com. Page last updated 1-nov-03 13:09