The Flaws of Privacy

December 19, 2017 | Views: 1210

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

“Privacy” is a interesting, and very commonly misundestood, concept in IT. Lots of security flaws online can have its origins on this misunderstanding, hence the relevance of clearly all this. This topic is relevant for both security and programming perspectives.

Privacy for humans is, (most of the time) simple. When we tell someone “this is private”, the person understands “do not show to anybody”, but privacy is a human concept, not a machine concept.

Privacy for machines means the same but is applied differently. When we indicate “this is private”, the machine understands “do not show to other humans”. This is why is important to test the privacy settings when putting something online: just because something says “private”, doesn’t mean it actually is…

 

How can this misconception originate flaws?

When a website is designed, the designer makes a “privacy setup” menu and adds the option to make something private. He/She can also request for authentication, such as a valid login, or ask for payment (for reading/viewing intellectual property or avoid piracy). The problem is when this “privacy” is not fully tested or even understood from the machines’ “point of view”. This allows people to trick the website. If “private” means it can’t be shared with humans, any humans trying to access the file will be prompted for authentication or blocked. But what about if a machine asks another machine?

 

How are this flaws exploited?

This doesn’t happen on all websites, but happens on some. Some websites may block one of this flaws but allow another… Hackers can use this “misconception” to trick several websites, bypassing some of this mechanisms, by using machines to ask other machines. Here are some examples of it:

  • A good example of this is asking Google to ask some specific file. Since the hacker can’t access the website and normally getting the file, He/She can ask Google, using the “filetype:” operator, if Google can get the file. On some websites, since its a machine asking another machine, it is allowed.
  • Another example is when we want to see a picture on a social network website. If we “left-click” the thumbnail, it demands us to get an account or login, (forcing us to accept the terms of service and privacy to view it), but if we “right-click” and select “open in new tab”, since its the browser asking, instead of manually operated buttons (AKA=Human), it simply loads the picture.
  • Another good example is using Google cache to view a detailed profile on social networks (like on the previous examples, we couldn’t view it without an account), or a topic on a fórum, that since it is “for members only”, requires a valid login.
  • Another example is using some program to change our “user agent” to something like “Google Bot”, to allow us to view content of websites without being asked for payment or authentication, tricking the privacy setup of the website.

All this examples exist and are fairly common. I’ve tested and found all of them, sometimes with little harm, and sometimes exposing sensitive private information. “Private” only makes a filter, but there are many ways to bypass that filter if properly misconfigured.

Google isn’t the only machine we can try to “trick into asking” another machine. The search engines can only index what they are allowed (in the robots.txt configuration), and sometimes, they aren’t allowed to view content. When that happens, hackers try other methods like “open in new tab” to avoid manually operated buttons, or URL hacking (changing the URL directly to navigate directories on websites). All that and more can be used, all based on the flaws of the concept of “privacy”.

 

Please note: I use the term “hacker” but not with negative meaning. “Hacker” here is used as someone who tries to bend the privacy rules, independent of intention.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel