Skip to main content

Posts

Showing posts from 2013

Cảnh báo kẻ xấu lợi dụng Clickjacking extension để tạo "botnet"

Hôm nay có người bạn hỏi về extension có tên "Clickjacking Detect" trên "Chrome Web Store" có chức năng rất giống extension của mình...


Nghĩ là có bạn nào đó thấy mã nguồn của mình ở github nên cũng tạo và đăng extension dưới tên của họ để quảng cáo. Tuy nhiên cũng thấy hơi nghi nên đã tải về kiểm tra và phát hiện ra ngoài đoạn mã detect Clickjacking giống hệt extension của mình còn có một đoạn JavaScript chèn vào...

Hoạt động của extension này như sau: Hiển thị các iframe ẩn clickjacking theo phương pháp của mình (vỏ bọc)Nếu địa chỉ của trang đang xem có đoạn "facebook.com" thì sẽ bắt đầu hành vi xấuTải về lệnh điều khiển từ địa chỉ http://cuchay.tv/hay.php?pageid=1Thực thi mã lệnh tải về nếu có.Hiện tại với thông tin trả về từ server thì sẽ thực hiện 2 hành vi:Like một trang Facebook có tên "SaoKlub" (id 264357593705349)Like một ảnh trên Facebook

Ảnh này thuộc một album của page "SaoKlub" ở trên, nằm trong khuôn khổ một cuộc thi ảnh d…

Nghi vấn CHAOBUOISANG.NET; Hãy là người sử dụng Facebook thông thái

Cập nhật ngày 1/11/2013: Đã có hỗ trợ phát hiện các trang lừa đảo cho trình duyệt Google Chrome, Apple Safari và Mozilla Firefox. Xem ở cuối bài.
Cập nhật ngày 30/11/2013: Cảnh báo kẻ xấu lợi dụng Clickjacking extension để tạo "botnet".

Hôm nay đột nhiên thấy một số lượng lớn bạn của mình trong Facebook like một bài viết ở trang CHAOBUOISANG.NET, mà lại đúng một bài mình vừa đọc cách đây ít phút... Kiểm tra lại activity trong Facebook thì phát hiện ra chính tài khoản của mình cũng đã like bài viết đó. Có vẻ có nghi vấn nên đã mở Google Chrome Inspector và kiểm tra lại nhưng không có kết quả gì. Dự đoán là có đoạn mã nào đó tự bảo vệ chống bị phát hiện nên mình đã tạo Profile mới trong Google Chrome, đăng nhập vào một tài khoản Facebook khác để thử lại. Lần này thì phát hiện ra một iframe ẩn chạy theo con trỏ chuột đúng như dự đoán:


Sau khi kiểm tra kĩ hơn thì đoạn mã sinh ra iframe này nằm trong file /js/common_load.js, ý tưởng cơ bản như sau:

Tạo một thẻ div với opacity là 0 …

SR-71 Blackbird

Just because this story always crack me up... Written by Brian Schul (former SR-71 pilot):

There were a lot of things we couldn’t do in an SR-71, but we were the fastest guys on the block and loved reminding our fellow aviators of this fact. People often asked us if, because of this fact, it was fun to fly the jet. Fun would not be the first word I would use to describe flying this plane. Intense, maybe. Even cerebral. But there was one day in our Sled experience when we would have to say that it was pure fun to be the fastest guys out there, at least for a moment.
It occurred when Walt and I were flying our final training sortie. We needed 100 hours in the jet to complete our training and attain Mission Ready status. Somewhere over Colorado we had passed the century mark. We had made the turn in Arizona and the jet was performing flawlessly. My gauges were wired in the front seat and we were starting to feel pretty good about ourselves, not only because we would soon be flying real mi…

Google Music All Access

Finally! Will see if my subscription can be renewed after the trial period.

So far so good. The streaming is fast and in good quality (at least it's good enough for my ears). The app is easy to use, especially the radio thingy. Recommendations are great, suit me well.

Launching XFROCKS

So after a loooong time, I finally launch XFROCKS (again) with the help of Sylvie. The site is actually an experiment which provides premium support (premium = fast, accurate, personal) for freely released add-ons of mine. Only widely used add-ons got their own forum for questions:

[bd] API: a new but strategic add-on with lots of room for improvement.[bd] Banking: another important add-on which has under heavy development for a long time without any public release. Probably soon![bd] Forum Watch[bd] Medal System[bd] Paygates: the cool kid in the group. There is an offer to develop future paygate support with a bootstrap fee of $100![bd] Tag Me: one of the first add-ons of mine and still growing strong![bd] Widget Framework: another useful and complicated add-on (which means lots and lots of questions).
To assist with the cost of running the site, 3 other add-ons are also available for sale:

Trophy Extension ($29) for [bd] Medal System: allow people to attach medals to trophies and have…

BitTorrent Sync as a server backup mechanism

BitTorrent Labs has just released a their Sync experiment. The tag line is "Automatically sync files via secure, distributed technology.", directly aimed to compete with Dropbox, Google Drive, Mega and the likes. Using BitTorrent technology, the folders will be synchronized across devices via p2p protocol without any central server -- which is a plus, you and only you own your data. Additionally, the data is encrypted with a private key so you can be sure it is safe.

The first thing I thought when I first heard of the idea is using it to do server backup. Amazingly, the team behind BTSync provided binaries for a wide range of platforms: Windows XP SP3+, Mac OSX 10.6+, Linux with kernel 2.6.16+ in 4 different architectures ARM/PPC/i386/x86_64.

Installed the app for Mac OSX:





Running the Linux binary will expose a Web UI at port 8888 (configurable):



In my testing with a 48MB folder containing 4164 files -- typical if you are doing server backup -- it took 21 minutes to complete…

Me and Google are so close...

Superuser permission in Play Store

Didn't know the Play Store can display custom permission information. Awesome!

Life's Good

Piracy Free!

MEGA beta has just been launched. The home page reads:

For a split second, I read it as "THE PIRACY COMPANY". Well, that must have to do with my impression with Mr. Kim's other service, MegaUpload... I remember the old days (not too old though) when I would download some package from MegaUpload or RapidShare and install software for free... Being able to do that and joining sites like UpdateSofts (mentioned here) or SoftVnn are huge... No matter how expensive a program is, we will just spend a few minutes (or hours, more likely) to download it, extract, install and apply "magic" to make it work!

Growing up, studying to be a software developer, I learn more about piracy and at some point a few years ago I have decided to avoid piracy as much as possible. The process probably started with me buying my first laptop (DELL 1510) by myself: it cost about 15m and came with Windows XP OEM preinstalled. For the first time, I was being able to upgrade Windows without wor…

Auto invite friends to Facebook group

Quite a few Facebook friends of mine sent me some Facebook group invite these days. The target group is always bullsh!t in some way or another (e.g.: making friend, life story, love group). I didn't pay much attention until today... Too lazy to work so I spent a while to investigate the case.

Most of the groups tell you to copy and paste some script to Google Chrome's console to get list of people who visit your profile. I have made a copy of the script here.


Turned out they use the first degree link to get your friends list then fetch the invite dialog with each friend and finally trigger a mouse event programmatically to send our the invite. Pretty clever! However, the script kiddie is unethical in two ways: After finishing the job (inviting your whole gigantic friends list) which may take a while, they don't show the list of friends in first degree as advertised -- false advertising! And secondly, the first degree is not about people who stalk you, it orders people by h…