Vimeo account takeover

Apr 3, 2015 2 min.

A while back I was playing around with the OAuth2 spec and discovered a flaw in how Vimeo associates Facebook accounts. Their Facebook connect callback URL was vulnerable to a Cross Site Request Forgery, allowing an attacker to connect their Facebook account with a victim’s Vimeo account. Background If you try to connect a Facebook account to your Vimeo account, Vimeo sends you to the following URL: https://www.facebook.com/v2.1/dialog/oauth?client_id=19884028963&redirect_uri=https%3A%2F%2Fvimeo.com%2Fsettings%2Fapps%3Faction%3Dconnect%26service%3Dfacebook&scope=email,public_profile,publish_actions,user_friends&state=f599e2d1b07d64214116415646a6a653 Once you accept the authorization prompt, Facebook returns an HTTP 302, redirecting you back to Vimeo’s redirect_uri along with a code that Vimeo uses to access your Facebook info and associate the accounts.

Golang range and pointers

Mar 18, 2015 3 min.

I’ve encountered bugs using pointers inside a range loop twice in the past few weeks. It seems like an easy/common mistake that is worth sharing. an example In this example a producer tries to pass pointers across a channel to a consumer. package main import "fmt" func main() { input := [5]int{1, 2, 3, 4, 5} c := make(chan *int, 0) // producer go func() { for _, val := range input { c <- &val } close(c) }() // consumer for val := range c { fmt.

Rails autoload and eager load paths

Jan 28, 2015 2 min.

How rails finds and loads classes when using autoload_paths and eager_load_paths can be pretty confusing. This post is the best that I’ve read on the topic, but there are a few things that I think are worth explaining more. autoload_paths This helps rails locate where an unknown constant is defined. So if it encounters the constant Foo::Bar::Baz, it knows to look for it in foo/bar/baz.rb That is why you only need to add lib/, instead of lib/**/*, to the paths.

Keeping my brews up-to-date

Jan 19, 2015 1 min.

Here’s how I ensure my homebrew packages are the latest and greatest! First I setup a crontab for my user: ~ $ crontab -e I then add this line to update the brew database every hour: 0 * * * * /usr/local/bin/brew update > /dev/null 2>&1 and add the following line to my .bash_profile to display outdated packages when I open a new terminal: brew outdated Boom. Now I’ll know to brew upgrade whenever a new hotness is released.

Organizing My Day

Jan 18, 2015 2 min.

I started a new job in August and am using the following method to get things done. Each day I create a new text file on my computer with the following template: 1 Jan 2014 ========== Goals ----- * None Completed Tasks --------------- * None Todo ---- * None Websites -------- * None Every morning I copy yesterday’s todo items to today’s goals. Throughout the day I update the completed section and add tasks to the todo section.

Securing ruby SSL connections

Nov 18, 2014 1 min.

By default, ruby uses OpenSSL settings that leave you open to insecure cipher combinations when making HTTPS requests. I wrote the following gist to document my attempt to secure HTTP requests from a rails application following the poodle vulnerability.

nginx self signed cert

Oct 5, 2014 1 min.

Create your self-signed certificate: openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650 -nodes Configure your nginx: server { listen 443 ssl; listen [::]:443 ssl ipv6only=on; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/nginx/ssl/dhparam.pem; # enables server-side protection from BEAST attacks # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html ssl_prefer_server_ciphers on; # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ciphers chosen for forward secrecy and compatibility # http://blog.

Heartbleeding an OpenVPN server

Apr 21, 2014 2 min.

Everyone has been atwitter lately over the heartbleed bug which motivated me to look into what lesser known implementations of OpenSSL might be vulnerable. My ddwrt home router seemed like a good choice because releasing and installing updates isn’t as ubiquitous for firmware as it is for desktop software. I started by looking into the HTTP admin interface. httpd I identified the web server by browsing the source code and found that SSL was most likely performed by MatrixSSL.