Updated Facebook for Android

Posted on by
Reply

This past week Facebook released a new version of their Android application. With it came a full redesign of the layout and how the app works.

For those of you familiar with the recent update to the iOS version of the Facebook app, this is very similar. At the same time, it feels very much like an Android application (not something ported straight from iOS, including all iOS UI paradigms).

The application now supports Facebook’s timeline feature that the website has been rolling out for awhile. Additionally, it supports many things that have been neglected in the past such as viewing full event pages, viewing friend lists, and more. I also spotted a note on the app’s market page claiming Facebook games work in the app. I haven’t tried this yet to verify as I don’t usually play those games but I could see that as potentially huge for Facebook and those users who do enjoy games on their platform.

Facebook has also added this slide over panel that allows access to many things related to your account. Further down this panel, there are lists of groups you are in, your Facebook app settings, pages you own, and more. I do enjoy this panel for the most part, although I feel that on a phone it would have made more sense for the panel to slide all the way to the right and cover the news feed completely.

The thing I enjoy most about this update however is that the app is performs extremely well. While the new features are nice, the performance is by far the best thing about this app. The side panel slides over fluidly every time, the lists scroll smoothly all of the time, and there is nothing that feels slow anywhere. This is a huge improvement over the previous version (and many other apps). This just goes to show that Android apps can perform well if you take the time to design them well.

Developers, take note. This is how Android apps should be built.

Race Report: Big House Big Heart 2011

Posted on by
Reply

Last Sunday I ran the Big House Big Heart 5k. The race started outside of Michigan stadium, looped around part of Central Campus and then finished by going through the tunnel entrance to the Big House and down to the middle of the field. Overall, I loved the course; It had only one somewhat large hill near the beginning of the race and then was completely flat or downhill the entire race.

There were, literally, tons of people that ran the race. Based on the results, there were over 6000 finishers! This is probably one of the biggest races I’ve even been in. I think it’s great that many people wanted to run – the problem was that I made the mistake of not starting right up front and I got boxed in for a large portion of the race. It took almost a minute for me to cross the starting line after the race started – that didn’t affect my time as it was chip timed but it did affect the number of people that I had to weave in an out of to pass.

The first mile (which was around 6:50) was constant passing and weaving and speeding up and slowing down. The same for most of the 2nd mile as well. This really affected my racing a lot. I’d say that the ‘race’ turned into more of a ‘run’ for me since I wasn’t able to get to race pace at any point.

That said, it was a lot of fun and a beautiful day for a race. I learned my lesson and I won’t make the same mistakes again. I ended up finishing in 20:22 which was a top 100 finish. I’m not thrilled with my time but I’m glad I ran all the same!

The full results are here: http://www.rftiming.net/results/bhbh/bhbh_2011_5k_overall.htm

Race Report: Run Wild for the Detroit Zoo 2011

Posted on by
Reply

This past Sunday I ran a 5K at the Detroit Zoo. It was my first in a while, but after training all summer I’ve been wanting to start racing again. The course was a loop around the outside of the zoo, most of which was a neighborhood. It was rather flat with only one slight hill just after the 2 mile mark.

I ended up running in 19:47 which is my best time in a while but still no where near the speed I used to be. It was also fast enough to win my age group. I finally broke 20 minutes – something I’ve been trying to do for most of the spring and summer. My splits were about 6:08, 12:35, 19:47. I really didn’t feel like I went out too fast and actually felt rather good the entire race. Next time I race I’m going to try going out at about 6:15 and hold that pace through the race to have more even mile times.

I run the Big House Big Heart race on October 9th but hopefully will have a chance to race once more before then. Full results for the Run Wild race are hosted at raceservices.com

How MCommunity Works

Posted on by
Reply

In my last post, I briefly mentioned that I thought MCommunity was sitting on a pretty nice JSON API. Today, I’ll be covering some of the endpoints that I mentioned and what the data looks like when it comes back. I’m writing this not because it was particularly difficult to figure out – anyone with a web browser can do it quickly with the developer tools – but because I enjoyed getting a glimpse into how the service was structured.

When I first looked at it, MCommunity had an endpoint that the Javascript was POSTing to to get details about who was logged in.
Doing a GET to https://mcommunity.umich.edu/mcPeopleService/private/people/getAuthorization/dummy will give a few details about the user who is currently signed in. For instance, when I am signed in, mine looks like:

{
    "authcheck": {
        "errors": "",
        "authStatus": true,
        "displayName": "David Thomas Wilemski Jr",
        "dn": "uid=dtwilems,ou=people,dc=umich,dc=edu",
        "elevatedStatus": false,
        "uniqname": "dtwilems"
    }

}

Note: They’ve since stopped using the “dummy” signifier in place of some sort of numerical ID; My guess is that it was an attempt to change that endpoint per session so it wouldn’t be so easy to call. However, “dummy” still works as does any integer – and most strings too. Maybe it was changed for some other reason, I guess I’ll never know.

As you can see, this is very useful information when exploiting XSS. It tells you exactly which user is currently authenticated. While the XSS vulnerability was still present, I could have written a script to notify me when someone viewed my profile and tell me exactly who was viewing it. Furthermore, because the script would have been executing in the context of the other user, it could have used the next endpoint that I’ll be discussing to ask for all of a user’s personal information that is stored in MCommunity and send that to a malicious attacker. That’s some serious analytics.

The next endpoint gives information for a uniqname based on who the user asking for it is. For instance, the URL:

https://mcommunity.umich.edu/mcPeopleService/private/people/dtwilems

gives info on me! Here is what I see when I view the page:

{
    "person": {
        "distinguishedName": "uid=dtwilems,ou=people,dc=umich,dc=edu",
        "errors": "",
        "aboutMeView": 2,
        "acl": [
            "3#entry#ou=People,dc=umich,dc=edu#drink",
            "3#entry#ou=People,dc=umich,dc=edu#umichAltPhone",
            "3#entry#ou=People,dc=umich,dc=edu#umichAltAddress"
        ],
        "affiliation": [
            "College of Engineering - Faculty and Staff",
            "CoE-IT - Faculty and Staff",
            "Undergraduate Engineering - Student",
            "Alumni"
        ],
        "aliases": [
            "David Thomas Wilemski",
            "David Wilemski Jr",
            "David Wilemski",
            "David T Wilemski",
            "David Thomas Wilemski Jr"
        ],
        "altAddressView": 1,
        "altPhoneView": 1,
        "associatedDomain": "engin.umich.edu",
        "displayName": "David Thomas Wilemski Jr",
        "drink": "Cranberry Juice",
        "email": "dtwilems@umich.edu",
        "emailForwarding": [
            "dtwilems@mail.umich.edu",
            "dtwilems.umich@gmail.com",
            "dtwwtd@gmail.com"
        ],
        "faxPhoneView": 2,
        "ferpa": "N",
        "homeAddressView": 2,
        "homePhoneView": 2,
        "imView": 2,
        "mobilePhone": "------MY CELL NUMBER-------",
        "mobilePhoneView": 2,
        "noticeView": 2,
        "pagerPhoneView": 2,
        "permanentAddress": "-------PLACE WHERE I LIVE--------",
        "spamFilter": "TRUE",
        "title": "Student, Undergraduate Engineering",
        "uniqname": "dtwilems",
        "urlView": 2,
        "vacationView": 2
    }
}

 

However, if I call the API for someone else’s info then it only returns information that they have marked as public. Well, actually, you can mark things as public, or just viewable to logged in users (auth), or private (self). They actually return information structured pretty well, and as we’ll see, I’ve since discovered more API endpoints like these – but first I’d like to talk about the last endpoint that I used while digging around with the XSS exploit.

This is the one that really made things go. POSTing to this with the correct variables and a valid cookie will update a profile:

https://mcommunity.umich.edu/mcPeopleService/private/people/updateContact

This is the one that could have helped to cause the MySpace worm of MCommunity – if I was evil. Instead, I reported it like any upstanding Michigan community member would have. :D

Conclusion

So, like I said, the MCommunity site has a nice API. As a matter of fact, Bryan and I have just discovered some various WADL files that describe additional endpoints. I’ll list the ones we know about out now for some of you curious folk:

  • https://mcommunity.umich.edu/mcPeopleService/
  • https://mcommunity.umich.edu/mcDirectoryMessages/
  • https://mcommunity.umich.edu/mcGroupService/

What would I like to see MCommunity do with its API? Open it up! I mean, we’re a top computer science school for crying out loud! I think that the students and alumni here could do some truly amazing things if this were to be opened up and documented a little better. Actually, this is something I think that the entire University could do better. Initiatives like the Mobile Center are great but the applications that they put out are still purely proprietary. In fact, their APIs page has had basically a “coming soon” message on it for over a year now.

As it is, any student who wants to build a mobile or web application related to the University is usually forced to revert to lame attempts at scraping a web page for information and other gross, hackish things in order to get functionality out of their application. I’ve experienced this first hand with both Umich Dining and MSchedule. We actually found computer readable formats for both of those applications but not without some exploring first. The data feeds aren’t advertised in any way and I think that they need to be. I’ve heard very similar stories over and over from other students who have tried to build some Michigan specific application at a hackathon or for other purposes and, honestly, it gets frustrating.

I will say that it seems that the University is getting better at trying to support development here on campus – we’re just not quite there yet. If anyone who works for the University who can help move this along is reading, just know that you’re moving in the right direction – we just want you to get there faster!

Also, us MSchedule developers would like to be able to register users for classes so as to create a much better user experience. Pipe dreams, we know…

MCommunity XSS

Posted on by
1

The University of Michigan recently launched a new directory site called MCommunity that is to be used to search for information on people related to the University.

A few days after the site launched my friend Bryan Kendall found a persistent XSS vulnerability in MCommunity within a couple minutes of looking at the site. He reported the problem to the Michigan security team.

…Or how I almost wormed MCommunity

Days passed and I got curious about how MCommunity itself worked as it obviously used a lot of AJAX to load information on pages. So I took a look at what those calls looked like using Chrome’s developer tools. It looks as though MCommunity is sitting on top of a pretty nice JSON API! They included endpoints for gathering info on an account, the current user’s auth info, and various other endpoints including the one for updating a profile.

So what did I do? I wanted to update my own profile via XSS of course – just to see how it worked. I embedded a Javascript snippet in the alt address field that Bryan found was vulnerable that loaded an external script hosted on my server.

Screenshot of the snippet in the form before I submitted it

That external script simply made some AJAX calls to various endpoints with the purpose of updating the user who was viewing my profile’s Alt. Phone number to “I have you now”. This was accomplished by grabbing the user’s authentication information and posting to the proper place; because the Javascript was being executed in the context of a logged in user it posted their existing auth cookie along with the post and acted on behalf of the user but without their permission.

Screenshot of the modified field on my profile after being XSS'd by myself

After testing this to see if it worked with a couple of friends (letting them know what would happen before hand), I stopped loading that script into my profile so as not to actually modify anyone else’s data. I replaced it with a simple alert that said that MCommunity was vulnerable and that concerned users should notify the University.

Had I been malicious, I could have modified others’ profiles so that when they were viewed, they too would attack other people’s profiles. This worm could have spread out of control and caused much grief. There are also any number of other things that an attacker could do with an open XSS bug. This is why testing for these things in development is so important.

Response

I promptly reported the vulnerability as well because I didn’t want others doing this to me! I quickly got a response from the security team saying they had passed it on to the MCommunity team. About a week later, on August 2nd,  I noticed that the vulnerability had been fixed and no longer worked. They must have patched it in one of these releases - despite not mentioning it in those notes.

Overall the response from the University was very good. I do hope that they are on the lookout for further vulnerabilities in the application. It houses so much information on the entire Michigan community that it would be disappointing to see that be abused by a malicious attacker.

Race report: Ann Arbor Firecracker 5k 2011

Posted on by
Reply

This morning I ran the Firecracker 5k which is my second race in two weeks time. Going in I felt pretty tired from the mileage I’ve been running and not being used to that. However, my first mile was under 6:15 despite feeling like I was running well slower than 7 minute pace. I tried evening out my pace for the second mile but pretty much blew up before the end of that mile. I did the best I could through the rest of the race, but ended up letting a lot of people pass me. I finished in 20:51, so not much worse than my last two races, but still not the sub 20 I’ve been looking for. I’m going to have to work on my race pacing some, I’ve forgotten what that’s like. Full race results are here.

Race report: Artful Dodger 2011

Posted on by
Reply

Welp, this past weekend was the Artful Dodger 5K in St. Clair. I went back home to run it and get another race under my belt for the summer. My goal going in (as with the last race) was to be under 20 mins, but I ended up with 20:16. So, faster than my previous race but still not where I wanted to be. For the record my splits were about 6:24, 6:44, 7:08 and I finished 15th overall (14 male, 1 female – results here) and 6th in my age group. Meh.

The 4th of July will be the Firecracker 5K here in Ann Arbor, I’m REALLY hoping I can finally go sub 20.

Race Report: Dexter-Ann Arbor 5K

Posted on by
Reply

Well, last weekend was the race I talked about in my last post. There were way more people there than I thought there would be.

Parking ended up being a nightmare so I didn’t have time to warm up before the race. This meant I took the first mile easier than I wanted to minimize injury risk and ran the next two at a hard pace instead of at full race pace. The first was still possibly my fastest mile because there was a bunch of down hill running. The next two miles I ran with a steady pace (I think, I don’t have splits). I ended up running 20:45; so, slightly slower than I wanted to but something I can be pleased with with the small amount of training I’ve been doing. Overall, I loved the course. It had the right mix of hills and flat running, I’ll definitely be doing this one again – but maybe a longer distance next year? We shall see.

I took this past week pretty easy, only a few hard runs and nothing over 4 miles. Monday I’m looking at starting the PPM program up again; which was something I haven’t done since high school. I’m going to start at 30 miles a week and see how that goes, maybe I’ll move up to 40 after this week but more than likely I’ll stick with 30 for a few more just to be safe. I really don’t want any more injuries.

Running Update: No more injuries

Posted on by
Reply

I’ve been running off and on again for most of the past year struggling with injuries (pulled quad, shin splints). I think I’m close to being able to say that that stuff is finally past me. I’ve been running ~20 miles a week for the past few weeks and so far so good (a few twinges in my legs the past few days that I’m gonna keep an eye on).

New Shoes!Last night I was heading out for my run and got this crazy idea that I wanted to do a mile time trial.Yes, despite it being the first day on new shoes, being super wet out, and my legs acting up a little (I did say it was a crazy idea!). I’ll be running a 5k next weekend and wanted to see what of hard, but not all out, mile time I could get so I know how fast to go out in this race.

So I ran a mile and a half warm up to the track. Did I mention it’s probably been a little over 2 years since I’ve been on a track? I stretched a little then did my mile. It was pretty humid still despite it being midnight but forgot about that quickly as I started. My first lap felt easy – not too fast, not too slow – at about 1:30. The second lap went by in another 1:30 split, but I was really feeling it by the end of that lap. The third lap’s split was 1:32 and the final lap’s was 1:33 despite me feeling like I picked it up – I had forgotten how that works. So I ended with a 6:05 mile after not training hard for months. Something to improve on, but I’m content for now. It really surprised me how well I actually kept my splits – that was something I always struggled with before.

Next weekend I’m going to shoot for 6:30 pace in my 5k and see what happens (assuming the legs are fine this week). Hopefully I’m not being too ambitious. I’d really like to go sub 20 mins as a baseline for getting back into racing.

I’ll post something about my results next weekend after the race, and I plan on doing more running posts to try and keep myself accountable for my running. Sometimes the hardest part is convincing myself to get out the door :)