Ready to Start Your Career?
December 19, 2017
The Flaws of Privacy
December 19, 2017
"Privacy" is a interesting, and very commonly misundestood, concept in IT. Lots of security flaws online can have its origins on this misunderstanding, hence the relevance of clearly all this. This topic is relevant for both security and programming perspectives.Privacy for humans is, (most of the time) simple. When we tell someone "this is private", the person understands "do not show to anybody", but privacy is a human concept, not a machine concept.Privacy for machines means the same but is applied differently. When we indicate "this is private", the machine understands "do not show to other humans". This is why is important to test the privacy settings when putting something online: just because something says "private", doesn't mean it actually is... How can this misconception originate flaws?When a website is designed, the designer makes a "privacy setup" menu and adds the option to make something private. He/She can also request for authentication, such as a valid login, or ask for payment (for reading/viewing intellectual property or avoid piracy). The problem is when this "privacy" is not fully tested or even understood from the machines' "point of view". This allows people to trick the website. If "private" means it can't be shared with humans, any humans trying to access the file will be prompted for authentication or blocked. But what about if a machine asks another machine? How are this flaws exploited?This doesn't happen on all websites, but happens on some. Some websites may block one of this flaws but allow another... Hackers can use this "misconception" to trick several websites, bypassing some of this mechanisms, by using machines to ask other machines. Here are some examples of it:
- A good example of this is asking Google to ask some specific file. Since the hacker can't access the website and normally getting the file, He/She can ask Google, using the "filetype:" operator, if Google can get the file. On some websites, since its a machine asking another machine, it is allowed.
- Another example is when we want to see a picture on a social network website. If we "left-click" the thumbnail, it demands us to get an account or login, (forcing us to accept the terms of service and privacy to view it), but if we "right-click" and select "open in new tab", since its the browser asking, instead of manually operated buttons (AKA=Human), it simply loads the picture.
- Another good example is using Google cache to view a detailed profile on social networks (like on the previous examples, we couldn't view it without an account), or a topic on a fórum, that since it is "for members only", requires a valid login.
- Another example is using some program to change our "user agent" to something like "Google Bot", to allow us to view content of websites without being asked for payment or authentication, tricking the privacy setup of the website.