Privacy and its Flaws...!!

-
“Privacy” is a interesting, and very commonly misunderstood, concept in IT. Lots of security flaws online can have its origins on this misunderstanding, hence the relevance of clearly all this. This topic is relevant for both security and programming perspectives.

Privacy for humans is, (most of the time) simple. When we tell someone “this is private”, the person understands“do not show to anybody”, but privacy is a human concept, not a machine concept.

Privacy for machines means the same but is applied differently. When we indicate “this is private”, the machine understands “do not show to other humans”. This is why is important to test the privacy settings when putting something online: just because something says “private”, doesn’t mean it actually is…



How can this misconception originate flaws?

When a website is designed, the designer makes a “privacy setup” menu and adds the option to make something private. He/She can also request for authentication, such as a valid login, or ask for payment (for reading/viewing intellectual property or avoid piracy). The problem is when this “privacy” is not fully tested or even understood from the machines’ “point of view”. This allows people to trick the website. If “private” means it can’t be shared with humans, any humans trying to access the file will be prompted for authentication or blocked. But what about if a machine asks another machine?



How are this flaws exploited?

This doesn’t happen on all websites, but happens on some. Some websites may block one of this flaws but allow another… Hackers can use this “misconception” to trick several websites, bypassing some of this mechanisms, by using machines to ask other machines. Here are some examples of it:

A good example of this is asking Google to ask some specific file. Since the hacker can’t access the website and normally getting the file, He/She can ask Google, using the “filetype:” operator, if Google can get the file. On some websites, since its a machine asking another machine, it is allowed.

Another example is when we want to see a picture on a social network website. If we “left-click” the thumbnail, it demands us to get an account or login, (forcing us to accept the terms of service and privacy to view it), but if we “right-click” and select “open in new tab”, since its the browser asking, instead of manually operated buttons (AKA=Human), it simply loads the picture.

Another good example is using Google cache to view a detailed profile on social networks (like on the previous examples, we couldn’t view it without an account), or a topic on a fórum, that since it is “for members only”, requires a valid login.

Another example is using some program to change our “user agent” to something like “Google Bot”, to allow us to view content of websites without being asked for payment or authentication, tricking the privacy setup of the website.

All this examples exist and are fairly common. I’ve tested and found all of them, sometimes with little harm, and sometimes exposing sensitive private information. “Private” only makes a filter, but there are many ways to bypass that filter if properly misconfigured.

Google isn’t the only machine we can try to “trick into asking” another machine. The search engines can only index what they are allowed (in the robots.txt configuration), and sometimes, they aren’t allowed to view content. When that happens, hackers try other methods like “open in new tab” to avoid manually operated buttons, or URL hacking (changing the URL directly to navigate directories on websites). All that and more can be used, all based on the flaws of the concept of “privacy”.



Please note: I use the term “hacker” but not with negative meaning. “Hacker” here is used as someone who tries to bend the privacy rules, independent of intention.

Comments

Post a Comment

Popular posts from this blog

What is Virtual Reality?(The Complete immersion)

-
Image
Virtual Reality  ( VR ) means experiencing objects or things through our computers that actually don't really exist. Virtual Reality is already becoming a very in demand concept, and with so many new cameras and devices, it can be easy to feel left behind. That's because VR is still relatively new technology. VR can also be defined as a believable, interactive 3D computer-created world for you to explore and to get the feel that you are really there, both physically and mentally. Virtual Reality is essentially: Believable You have to believe that you are already there, in the VR world Interactive When you move, the VR world must go with you Computer-generated Only powerful machines are fast enough to make interactive, alternative and believable worlds Explorable A VR world have to be big enough and detailed for you to explore Immersive To be both interactive and believable, VR needs to engage both your mind and your body. How does it work?
Read more

What are the best ways to earn money online?

-
Image
How many articles are there about making money online? Thousands? Millions? Enough? Probably. But there’s a problem. Too many of them are just sales pitches to convince you to sign up for some seminar, webinar, training session or some other way to become an online millionaire. They really give online money making a bad name. But it is possible to make money online. I mean, the people selling all of those millionaire pitches are making money, right? There are legitimate ways to make money online. The problem is that the real ways to make money aren’t “get rich quick” schemes. Most of them require a lot of work and sometimes a lot of dedication before seeing a return on your time. But if you really want to make money online, work from home or turn an idea into a business, you  can  do it. I’m going to tell you about all kinds of legitimate ways to make money online. Since we are talking about  legitimate  jobs, you’ve got to be…well, legitimate. Many of these options are  re
Read more

Pros and cons of using a VPN

-
​ ( This Question Is Asked By Many Peoples Also) The benefit of using a secure VPN is it ensures the appropriate level of security to the connected systems when the underlying network infrastructure alone cannot provide it. The justification for using VPN access instead of a private network usually boils down to cost and feasibility: It is either not feasible to have a private network — e.g., for a traveling sales rep — or it is too costly to do so. VPN performance can be affected by a variety of factors, among them the speed of users’ internet connections, the types of protocols an internet service provider may use and the type of encryption the VPN uses. Performance can also be affected by poor quality of service and conditions that are outside the control of IT.    VPN protocols  There are several different protocols used to secure and encrypt users and corporate data: IP security (IPsec) Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Point-To-Point
Read more