blog of the software engineering student and occasional tweeter

Google Hangouts Have Stupidly Obvious Security Flaws

Tuesday, May 21st, 2013

I was just watching, as part of YouTube Comedy Week, a live broadcast of Day 1 — YouTube FanFest with HP, hosted in Singapore. It featured a Google Hangout with one of my favourite YouTube celebrities, Natalie Tran aka communitychannel, who lives in Australia and was unable to make it to Singapore for the live event. Now, you would expect IT security to be decent when it comes to a YouTube event like this one, even more so considering the event was sponsored by a large corporate company like HP. But it really wasn’t, and I feel both ends are to blame.

The Google Hangout session was screencasted by the host at the event in full-screen view, and by that I mean you could see the entire screen real-estate, taskbar, notification area and menu bars included.

google-hangout-communitychannel

You were therefore able to see the Google Hangout session identifier very clearly in the URL, in 1080p HD. Take a look above; it’s https://plus.google.com/hangouts/_/0b03ee704e9d7337b73bf36109b1168aab667b76?hl=en. That means any one of the 5,300+ people watching live on YouTube were able to simply type the URL into their browser, reading it off the YouTube video like I did, to hijack the Google Hangout session and talk to Natalie Tran (♥). And two people did at 2 hours and 37 mintes in. One of them apparently flashed a naked photo, which happened while the camera was pointing at the audience and you could see everyone laughing. Neither the host nor Natalie Tran knew what was going on but they went along with it for a short while, with Natalie awkwardly joking about how they are her Internet boyfriends and such.

While that is funny, it’s not acceptable. First of all, the browser used at the live event, which as seen above was Google Chrome, should have been in full-screen mode obscuring any URLs from view. Secondly, and this is the real issue: Google developers should have been less naïve and realised that just because it’s not probable that an outsider will be able to view the URL of a Google Hangout, it doesn’t mean it’s a good idea to show the session identifier in plain text in the URL. They should have used a session cookie, which is not so obvious and oblivious to those who can see the screen of a Hangout user with a Hangout in progress.

Knowing the session identifier, anyone is able to join a Google Hangout without authorisation from anyone presently in the Hangout. Since I don’t use Google Hangouts, I don’t know if there exists a way to force authorisation before joining, showing video and speaking on a Hangout, but if there isn’t, this is an absolute failure of product security by design and requires urgent attention.


University of Auckland Exam Grade Poller

Monday, March 12th, 2012

Those who have been following will be glad to know that I have completed the University of Auckland Exam Grade Poller, written in object-oriented Python. If you haven’t been following or don’t know what this is, well, if you happen to go to Auckland Uni this might benefit you if you would like to be notified exactly when your exam grades are released on Student Services Online.

Let’s jump straight into it – here’s an action shot of the program’s main menu.

It is currently a command-line application with a b0rked ASCII UoA logo.

Usage should be straight forward; just fill in what it asks for and you’re away. You can either manually check grades for a given semester (option 1) or use the beefy polling functionality to get informed of new grades for your current pending semester automatically (option 2).

When I wrote the alpha version of this program last year for the 2011 Second Semester session, I ran it as a daemon on one of my servers and had it post directly to the 1st-year Engineering Facebook group I was part of, effectively informing 500 students that new grades had become available on Student Services Online.

Behind the scenes I went a bit further and even had it deliver me a personalised text message containing my individual grades as they were released, using Clickatell’s HTTPS API for its global SMS gateway system. As a surprise I thought I might as well add the mobile numbers of my friends who were also studying Engineering and inform them of new grades via text message too (these messages didn’t contain their grades though, as this was outside of my control; it just had the same message as the one in the image above).

As for the current edition, in order to be notified you need to download and execute the program on your own machine and set it up to poll for new grades (option 2). Once it detects a disparity in your results, it will invoke 10 system beeps, giving you plenty of time to become nervous before it displays your shiny new grades on the screen in a neatly-formatted ASCII table (trust me it’s much neater than that logo). Granted this isn’t as cool as getting a text message, I can’t afford to have the program send everyone personalised text messages on behalf of my account. I would if I won lotto, though!

If this fancies you and you would like to use it, feel free to download the Windows or Mac executable (Mac OS X App planned) or if you have a phobia of executables thinking I might steal your university credentials or something ghastly like that then you can get the source for the API and the poller itself instead.

Download links below – version 2.0.1.8 – last updated 07/07/2014

 

Windows executable (version 2.0.1.8 – current)
uoaegp.exe (3.7MB)

Mac OS X executable (version 2.0.1.8 – current)
uoaegp (5.8MB)

Python source (version 2.0.1.8 – current)
ssoapi.py (10.8KB)
uoaegp.py (10.7KB)
both files are required

Lazy changelog

2.0.1.2 — 12/03/12
– initial public release after a plethora of tests

2.0.1.3 — 26/06/12
– fixed incorrect semester selection due to upstream behavioural change

2.0.1.4 — 30/06/12
– additional fixes for semester selection issues

2.0.1.5 — 05/07/12
– show date and time of disparity detection

2.0.1.6 — 27/11/12
– fix: a change on the UoA login page caused ssoapi to reject all credentials
– permanently enabled a workaround which fixed an issue in both manual and automatic semester selections that appeared around the fourth quarter of 2012

2.0.1.7 — 06/07/2014
– added important fail-safes
– improved exception management
– additional fixes to attempt automatic recovery from erroneous states

2.0.1.8 — 07/07/2014
– fixed inability to view individual semesters manually (option 1) –  regression from 2.0.1.7
– less overwhelming error announcements

Tips and to-be-FAQs

I want to use the Windows executable.
Great, go right ahead. If you have runtime issues, try using the source instead.
This is compatible with Windows only.

I want to use the Mac OS X executable.
This is not quite the same as the typical Mac OS X apps you may know, as it is a single binary file rather than a .app directory. Here are the instructions:

  1. Download the file and note which folder it was saved in (/Users/Milos/Downloads/ is probably default, but with your own username in the middle; that is, your Downloads folder).
  2. Search up Terminal in Spotlight (the top-right magnifying glass icon) and open it. You now need to give the file execute privileges so that you can simply double-click it in the future without having to manually open Terminal. This is done by using the chmod command, explained next.
  3. Type `chmod +x Downloads/uoaegp` without the backticks (`) and press enter. That’s it! You can now double-click the file to use the program.
  4. Optionally move it to another location, i.e. Application directory if you really want to. 

If all you see is a blank terminal, chances are it’s hiding behind that window.
This is currently definitely compatible with Mac OS X 10.6 (Snow Leopard) and higher but should theoretically work with Mac OS X  10.4 (Tiger) and higher.

I want to use the Python source code.
You are going to require at least Python 2.5 with the lxml module installed.
This is compatible with Windows, Mac OS X and Linux as long as Python and any dependencies are installed and able to be located by the interpreter.

My poller is picking the wrong semester!
You are most likely using an outdated version; please update to 2.0.1.4 to address this issue.
If you continue experiencing this with the latest version, let me know by leaving a comment below.
Thanks and sorry for any inconvenience.

I left it on overnight and when I checked it next it had an error (something about __getitem__)?
This is harmless no matter how many times you see it. As long as the timer is consistently counting down, the program will still work as intended.