Quality Reads

Tuesday, November 06, 2007

Basecamp JS Injection

I've used Basecamp on and off for a couple years now. Generally, I thought it was a great application: secure, well-designed, simple & efficient. That is until I ran into this little beauty today.


In case you can't figure out what you're looking at, thats a lightbox with an Iframe pointing to pierinc.tickspot.com. No, that's not a new feature for Basecamp that you missed out on. One of my colleagues, today, noted that he could enter HTML into the Todo list. Immediately, I was like uh-oh...I wonder if I can....out come the <script> tags. You can insert html script tags right into the Todo list and it doesn't get sanitized. A little scary if you use Basecamp for larger projects, perhaps with a developer you don't completely trust.

After a little inspection of the DOM and playing around, I "mashed up" tickspot, our time tracking application, with basecamp so I can kill two birds w/ one stone. Beyond the security risk, this could actually be kinda fun. Tossing anything I want onto my Basecamp page for easy access. I still think Basecamp is a great application but this a serious no no. I had higher expectation from the 37Signals folks than this (perhaps its a feature...lol).

Cheers,
Todd

PS-I don't have a picture of it but the first thing I did was animate all the <div> tags. I had them flying all around the page...great way to freak out your boss ;)

***Update***
37Signals Support responded with this message:

Basecamp intentionally allows HTML (and JavaScript) because many ofour
users find great value in being able to use that. We're fullyaware that this
allows for XSS attacks, but Basecamp is based on thenotion of trusted parties.
You should only allow people into thesystem that you believe won't hack your
system (just as you shouldonly invite people into your office that you don't
believe will stealfrom you). If your friend becomes a foe, you can revoke their
accountand change your login credentials. Just like you would simply not letthem
into your office.

If this was a public system, it would definitely be different. You can't
have a public forum today without carefully dealing with XSS issues.

In the 3+ years we've operated Basecamp, we've never had a single suchcase
occur, though. So it doesn't seem like it's a big problem. And I know many of
our customers would scream murder if we removed the option to use HTML in their
messages, as they've become accustomed toover the past 3+ years.


I'm not sure I total agree with the sentiment of leaving security up to your users but its certainly a refreshing change from the pervasive concept of the "low-trust" internet.

==>If you're into javascript...hack away!

2 comments:

Eric said...

Have you seen this app? It's a great tool to save time. The cool thing is that it really makes a team like ours (we have 15 guys) more productive. Basecamp is all right, but it doesn't have some important features that Wrike has.

Todd Cullen said...

Actually, I haven't run into Wrike before. At first glance it looks like is has a nice feature set so I'll have to give a shot one week and see how it fairs.

Thanks for the suggestion.