unserialize() and being practical

I have recently revived my “filtered unserialize()” RFC and I plan to put it to vote today. Before I do that, I’d like to outline the arguments on why I think it is a good thing and put it in a somewhat larger context.

It is known that using unserialize() on outside data can lead to trouble unless you are very careful. Which in projects large enough usually means “always”, since practically you rarely can predict all interactions amongst a million lines of code. So, what can we do?

Of course, the first thing would be to never use unserialize() in this context, and this means no problem, right? However, this approach has the following issues:

  1. It goes against what is natural for people (using PHP native serialization mechanisms) to do and what is widely done in the field. Usually when you try to work against what is natural for people to do, it is an uphill battle where losses are much more frequent than wins. Doing the right thing should be easy, and if it is not so, then the chance that right thing is not done raises accordingly. From that perspective, anything that makes doing the right thing easier is a benefit.
  2. There is no other mechanism which matches serialize() by capability but does not have its issues. Yes, I know in many cases data being serialized is simple enough so JSON or something akin to it would suffice. But sometimes it may not, and in that case we need some solution too. Let’s say we said using JSON is a best practice. However, let’s say one finds a rare corner case where it is not enough. What would we offer in that case? If we do not provide any solution, people would do homebrew solutions, and many of these will be done wrong.
  3. Contexts change, and what were internal context before may suddenly become exposed, and then may be in for an expensive refactoring effort if no other solution is available.

So that is why I think we should have a middle ground between “never use unserialize() on external data and if you do, you’re going to hell and we’re not going to talk to a sinner like you until you repent and rewrite all your code” and “let’s rewrite PHP library functions in PHP because that’s what it takes for our code to work”. I think it is a practical solution which allows your code to be more predictable (i.e, less prone to security issues) while allowing you to work with your code as it is and not requiring extensive rewrites.

Is this a security measure? I removed the reference “security” from the RFC title because I think it has lead the discussion in a wrong direction. Yes, it does not provide perfect security, and yes, you should not rely only on that for security. Security, much like ogres and onions, has layers. So this is trying to provide one more layer – in case that is what you need. I think it improves security but I’d much rather concentrate on the useful options that it adds to the programmer’s toolkit than on semantics of the term “security” and its implications.

LinkedInSecurity

This is an uncharacteristically non-PHP post, but I thought it may interest the audience anyway, and this is as good place as any to have it. So the TLDR of this post is that I’ve recently had an interaction with certain security issue in LinkedIn, this issue is still there, LinkedIn is not inclined to fix it and you may be affected.

The Story

All names (except, obviously, LinkedIn) in the story has been changed to protect the privacy, but refer to real people, entities and events.
The story of discovering this issue begun when one morning I have woken up and found in my mailbox a message saying “here’s the link to reset your password” from LinkedIn. As I have not reset my password on LinkedIn, I was somewhat surprised, but thought – OK, maybe somebody is trying to play tricks with my account, I’m pretty sure this would go nowhere. Then, as my brain was waking up, I looked at the email closely and discovered two things:

  1. This email has not my name, by the name of my colleague, let’s call him B., at the company, let’s call it Westeros Inc.
  2. The email was not sent to me directly, neither it was sent to B. directly, instead it was sent to an internal company mailing list goldcloaks@westerosinc.com.

I didn’t know what to make out of it but decided maybe B. copy-pasted wrong address to some field in LinkedIn.
Later the same day, talking to B. and other coworkers, I have mentioned this event. B. said that he indeed reset his LI password recently, but he never added the goldcloaks list to LinkedIn. I’ve started to get suspicious and asked how then I’ve got his password reset email? He didn’t know. So we (myself and B.) did an experiment:

We went to LinkedIn, logged out and clicked “forgot password” on the login form. Then we entered the address of the goldcloaks@westerosinc.com and in a couple of seconds, I’ve got the password reset link, with B.’s name on it. Clicking on that link, I’ve got a form to reset the password (no additional questions like what’s my favorite pokemon) and after another click I’ve got the email saying “B., your password was successfully reset“. I used the new password to log in, but then I was stopped by the two-factor verification. Which means two things: 1) password change worked, since 2-factor kicks in only when password is right and 2) B. is a smart man and has protected his account against password thieves. I had to ask him for the code – now that I have his account’s password, this was the only way to give him the control back. After getting the code, I could successfully log into his account and could see all his deepest secrets (which I didn’t) or return the control back to him (which I did). Before that, we verified that goldcloaks@westerosinc.com is indeed in B.’s list of account’s emails.

Then I decided to see how comes the goldcloaks list ended up in B.’s email list. I went to my own email list, and, surprisingly, discovered that in my own list, among my regular emails, there is another mailing list, maesters@westerosinc.com, which I definitely did not ever add there and had zero reason to. I asked other people sitting around in the office to check their lists and they too have discovered a couple of extra emails, added by some mysterious way, in their profiles.

The Analysis

Basing on these discoveries, I have arrived at the following conclusions:

1. There is a way, currently unknown to me, to add a group mailing list to one’s profile on LinkedIn, without their explicit consent (at least without them knowing that this is what they consented to).
2. LinkedIn accepts this group list email and any non-primary email as an email to send password reset requests too.
3. Reading emails from this address is the only thing needed to reset the password – even if 2-factor auth is enabled. With 2-factor auth, you will not be able to access the account after the password has been reset (unless you find a way to cheat there, I did not try) but you will be able to reset the password.
4. For the majority of people asked, LinkedIn password emails to goldcloaks@westerosinc.com ended up in a spam folder, which means the victim of the shenanigans may not even notice what happened.

This looked like a security issue, so I have written up the whole story (in a bit less colorful words than here) to security@linkedin.com and went back to work, expecting the email from LinkedIn with heartfelt thanks and promises of speedy fix implementation.

The Security Response

Of course, that is not what happened. Instead, what happened that I have got an answer from some very helpful individual from frontline support, asking me for “detailed information about your problem and if you think it might help, attach a screenshot, too“. As I have just spent significant time on composing big encrypted email full of details, I was a bit confused as to which details I was missing and where screenshots may be useful there, but I have not relented at first and wrote second explanation of the issue. The response was:

1. LinkedIn support took the extraordinary security measure of logging me out of all my current sessions with LinkedIn.
2. They advised me not to write down my password in publicly accessible places and suggested that if I continue to leave my computer sitting around in public places without logging out, bad things may happen to my account. My sincerest pleas that such thing never happened and the problem I am talking about is not because I forgot my laptop in a pub while being drunk (and so, apparently, did my coworkers) were met with utter disbelief. They also instructed me to not use my LinkedIn password on other sites and gave me a full page of very useful boilerplate password security advise, as prudent as having no relation to the case being discussed.
3. They assured me that my account was not compromised (which I never implied) and my password is safe.
4. They assured me that “The only way to add an email into an account is via the settings after logging in.”

By that time I was sure nobody at LinkedIn is going to believe me there’s a problem (beyond my implied propensity to leaving my laptop around and thus letting strangers add emails to my LinkedIn account) so I decided I’ve done my responsible disclosure part and should not spend more time on it. However, then I’ve got another email from LinkedIn stating this:

Sometimes, when a member accepts an invitation to connect that was sent to an email distribution list, that list becomes associated with the member’s account.

Please be assured that no one on the distribution list would be able to use the password reset link to access your account unless they knew both your email address and your password.

The first part, of course, completely belies the claim that “The only way to add an email into an account is via the settings after logging in.“, as apparently the other way is to send an invitation via the email list and have it accepted. The second part, however, can not be true, as password reset link can not require anybody to know the password – such link would be completely useless, and they do not even need to know my email – only the list email. But this provided the confirmation and brings us to the conclusion.

The Conclusion

  1. There is, indeed, a way to inject group email address into your LinkedIn account, LinkedIn knows about it and they don’t see any problem with it. Most probably, this can be done by sending an invitation for a person to connect to a mailing list. You can imagine the social engineering possibilities.
  2. While you can see the target email in the email connect invite from LinkedIn, you can not see it, AFAIK, in the LinkedIn web interface, which makes “group” invite indistinguishable from a regular one.
  3. There is, and probably will be for a foreseeable time, a way to use that group email address to reset your password using that group, by anybody who has access to group emails.
  4. LinkedIn knows about the issues outlined above but they do not perceive it as a security issue.

The Advice

So here’s some advice if you have a LinkedIn account:

  1. Enable two-factor on your LinkedIn account NOW.
  2. Check your email list (go to Settings, click on “Account” and then “Add & change email addresses”) and see if you don’t have any unknown emails there. Do that at regular intervals, especially after accepting connections.
  3. Do not accept connections from strangers that you do not recognize. 
  4. Do not expect big companies to have a meaningful way to report a security problem.

And a wishlist for LinkedIn:

  1. Make password request only work with primary email.
  2. Make associating an email with the account always an explicit action.
  3. Have some way to escalate security issues. 

If you have any additional info or ideas on this topic, please feel free to comment.

the insecure nature

I saw in Ben Ramsey’s blog the link to the eWeek’s “100 Most Influential People in IT” list and this:

I think Stefan Esser is doing great work by helping make PHP more secure, and so I join the congratulations for being in the list. I don’t really know what 60 means – is half as influential as #30 (Brendan Eich, Mozilla’s CTO) and 1/4 of that of the number 15, Linus Torvalds himself – or they just had to order it because otherwise it is hard to comprehend – but I guess any place in the 100 is great.

What drew my attention, however, is the wording of the description. Namely “

I also fail to see how the fact that PHP had 43 bugs (MOPB reported 46 issues, 3 of them not in PHP) in various versions and various modules could force anybody to “rethink of security in the open-source world”, whatever that might mean. Just for the right perspective, main PHP source has now around 80 extensions, issue count on bugs.php.net now nearing 45000 (of course, many of them bogus, but still). To compare, Firefox’s Bugzilla counter approaching 430000 by now. I do not know how many of the bugs reported can be thought of as security bugs, especially provided that many bugs not thought of as security problems per se could lead to security problems given suitable context. Probably a bunch of them. But I do not see how that leads to any “rethinking”. Of course it leads to the plain old thinking – how to fix such bugs and try and prevent future ones like them – but that’s how it always worked and always will work, nothing special.

I’m writing this not to cast any shadow on the list or Stefan Esser’s work. I just think while the recognition of the security research efforts is great, the sensationalist manner that was chosen by eWeek to describe it is just wrong.