The Blog of Tom Webster

Chronic Ranter, Reviewer, and Developer. I speak only for myself, opinions are my own.

Nasty Google Drive Permissions Bug

  2015-02-05 18:26:00 PST

As some of you know, I co-host Security:inThirty with Chaim Cohen. We get emails from time to time from listeners with questions, comments, and stories. One frequent listener informed us about a very strange security problem they were running into with Google Drive: They can access someone else's files, even though they haven't this user hasn't shared anything with them.

As strange as this issue seems at first glance, I couldn't dismiss it as user error, as I had seen the same thing once in the past myself, and have read about it happening in a few other instances. The user in question is Gunnar Haid, he's technically apt and security aware. This isn't user error (at least on his part), and I doubt this is human error by the other user either (more on this in a bit). This problem isn't widespread (as far as I can tell), but other Drive permissions bugs have been very prevalent in the community (such as being unable to delete files you own).

I was sent an email thread and several screenshots detailing the problem. I am not releasing either in the interest of privacy (most screenshots would need to be heavily censored, removing the point of posting them). The first thing Gunnar did was contact Google support, the right move. One support rep was convinced that the other user had marked their files as "public on the web", this is not the case. Gunnar has provided screenshots showing file permissions that list only the owner has access and that link sharing is disabled. Gunnar was then passed around to a couple other support reps, running in circles trying to explain the same issue, to no avail. As it stands today, Google requested (and has received) screenshots, but has not responded to the issue since October 1st 2014.

The user in question who is having their data leaked by this bug is very technical as well. They have several websites and work in a tech-based field. The filenames also lend me to believe this person is very technical and working with advanced tech (for non-tech people, anyway). For obvious reasons, I can't go into personal details beyond that, but needless to say, this user is also very technically apt.

This isn't a case of user error, this looks like a pretty serious bug that Google needs to take a hard look into. The big issue here is someone's files are completely accessible by someone else who has no relation to the user. Our show has a small (but dedicated) following and it makes me wonder how widespread this issue is. It doesn't seem widespread, but I have no way of knowing for sure. If Google would comment on the issue, I'll be more than happy to post the response, at the moment, I'm only concerned with getting this fixed and figuring out why it happened in the first place.

DeadDrop

  2014-10-26 05:26:00 PDT

I am just on a roll this month! Here's a stupid-simple Sinatra app I created for my wedding attendees. Weddings generate a lot of pictures. An insane amount of pictures. I needed a fast, easy way for attendees to upload their pictures to my Amazon S3 bucket without too much technical know-how. While Facebook and Google+ are really nice for sharing photos, I wanted the originals, in their original forms, without any added compression or tinkering.

Enter DeadDrop, a simple upload web app that works with the local filesystem or Amazon S3. This app accepts uploads of any file type by default, of any size, of any number (these things can be limited, check out blueimp's documentation on how to make this happen). Drag and drop support as well as a fallback form is included.

The app doesn't give out or support links to uploaded files, so it isn't really appropriate for a file locker service at the moment. If you'd like to make this happen, send me a pull request.

GreenBoard

  2014-10-25 17:00:00 PDT

Here's a huge project that I'm happy to open source: GreenBoard. It's a simple web app designed to be displayed on a vertically-oriented TV in a manufacturing environment. The premise is simple, you take pre-run measurements, if they come back green, run parts, if they come back red or yellow, you should fix things before you run parts. Without delving too much into specifics, it lets you specify and take measurements against pieces of equipment, and get a quick look to see if they are within the tolerance values you specify. This is probably best illustrated with a picture:

Table cells are colored depending on whether or not they are in-compliance with the values you have specified.

There are some existing products that do this, but nothing was open source or generalized enough to fit the requesting company's specifications, so we decided to build one ourselves.

This was designed with audit compliance in mind, so all tables are using PaperTrail. Even if a user deletes the tables they control, you can still look back on history for audit compliance purposes.

There's still a good bit of work to complete on this project, such as building an API, pulling new values into the page in a modern way, not using a jQuery polling hack (it's really nasty...), moving configuration to environment variables with Figaro, and additional logon methods (for all you Google Apps users out there). If you'd like to help out, check out the GitLab Project. I am accepting merge requests and can help out with deployment or other questions if they come up. Have fun!

MarkSport!

  2014-10-01 15:37:00 PDT

I've created yet another stupid simple little app. We love Markdown for our documentation, but with we could make it pretty with Bootstrap. Totally doable with some linking stylesheets and javascript, but we love having everything in one HTML file. From shell script to simple web app, MarkSport allows you to put in your markdown, some variables, and export a self-contained, bootstrapified HTML file, ripe for downloading.

Why not PDF? Some people hate them. Some people love the way bootstrap looks on a mobile device. Etc.

You can check out the app here: https://marksport.herokuapp.com

Of course, this is all open source: https://gitlab.com/samurailink3/marksport

HIVEMIND: Open source anonymous imageboard software

  2014-09-20 10:07:00 PDT

I'm happy to announce and launch my newest project: HIVEMIND

tl;dr: It's open source image board software that you can find here: https://gitlab.com/samurailink3/hivemind

Over the past year, I've seen certain communities on the internet become more locked down, more moderated, more censored. I'm not referring to any one incident, just a general trend I've noticed, and have been concerned about. I wanted a pet project that would allow people to stand up communities quickly and easily, with their own rules on their own terms. That's where HIVEMIND comes in.

The site I've launched is just a reference implementation, not the grand solution, the solution is the open source software that makes it easy for people to create a public forum, without usernames or real names, to have discussions on any topic of their choosing. It's very early in development, and I have a lot of plans for it in the future. For now, test it out, hack on it, create feature requests and bug reports on GitLab, and if you want: Stand it up on your own server.

Source here: https://gitlab.com/samurailink3/hivemind

Install guide here: https://gitlab.com/samurailink3/hivemind/blob/master/Install.md

Try it out here: https://hivemind-app.herokuapp.com/

Page: 9 of 32