Announcing: Daz Deals Browser Add-on
This discussion has been closed.
Daz 3D is part of 
Connect
DAZ Productions, Inc.
224 S 200 W, Suite #250
Salt Lake City, UT 84101
Licensing Agreement | Terms of Service | Privacy Policy | EULA
© 2024 Daz Productions Inc. All Rights Reserved.
Comments
Without getting into too much technicalities here, but you must have seen most reputable price history graph providers do provide that information in their own site without messing around the code and layout of the parent site. There are multiple reasons for that, respecting the parent site's user's confidentility and integrity of data is definitely one of them. A few minor modifications to the HTML code of Daz product page might have been acceptable. But by embedding an external content AND asking for permission for access to another domain, a line was crossed.
I must say you guys have done a good job with that add-on. I am just trying to play a devil's advocate to eliminate any scope of potential information leakage/misuse of user confidential information that might happen through the usage of add-on by unsuspecting users.
Also, lets not limit ourselves to only the possibly vulnerabilities that I mentioned. A skilled attacker would have access to more sophisticated devices and methods at their disposal. Lets not 'enable' them further by exposing possible areas to exploit.
@mrinal the permissions we use are not different in kind than the ones used by SteamDB:
https://github.com/SteamDatabase/BrowserExtension/blob/master/manifest.json#L20-L28
Is the main concern here the use of an iframe? Had we instead loaded the price history from a remote server--as SteamDB and many others do--and generated a graph in the browser, would that have been less concerning?
I do not use SteamDB browser extension so cannot comment on their reliability. I directly visit the SteamDB page if I have to search for the price history of an app/game. Besides, Steam already has a history of cases of hacked user accounts. How many of those cases are due to user's ignorance and misplaced trust is anybody's guess. Also, I am not even going to compare the resilience and robustness of Steampowered.com with that of Daz (with no offence to Daz of course).
Again, as I said, lets not limit ourselves to a particular method of exploit, because that would mean losing the sight of the forest for the trees. I think I made that point pretty clear in my previous post.
It's a pleasure to see such civil discourse in here! Elsewhere the flame wars would have started by now. Kudos to all involved!
Dana
Any chance this will ever be available for mobile devices? I do all my shopping on my iPad. Either Safari or Foxfire for iPad/iPhone would be great! :). Also, there are so many pages to go through so I can't tell if you can set up notifications by SMS text. That would be worthwhile my setting up the browser on my computer, if I could get text notifications. I get soooo many emails, email notifications would get lost or go unnoticed for too long... Thanks.
Please understand that I have spent more here at Daz than I have at Steam in my entire life. So there's quite a lot at stake for me here. While I do want to benefit from the generous work that you guys are doing, I would be genuinely worried if there is even a slight potential for my account data getting compromised.
What types of notifications did you have in mind? The emails now contain all of the items that trigger the notifications, this can't fit in an SMS if there are 20-30 or more items on sale. Theoretically I could set up a page with all the triggering items on it, and just send out the link to that page. Click on link in SMS, and you get the full list, just like you would in an e-mail. (I'm just thinking aloud now. :))
Does your phone provider have an email to sms service? By this, I mean that you get an email address, such as [email protected], and anything sent to that address is sent to your phone as an SMS?
I've sent you a private message here on the forums. Please take a look at the example there. I see you're at home in technical issues, so our conversation might end up having malicious-looking codes in it, which I don't want to be posted publicly.
Wow, thank you so much!! This is great!
One thing I always wanted was to be able to shop by percentage-off (to find the best deals), and to excluse platinum-club items (again, to find the things trending downward). I don't know anything about how hard it is to do extension stuff, but if that was easy to do it'd be super cool :)
I found this developer discourse on best security practices for plugins very interesting to read - as someone with a more generalized IT systems and networking security background. I also appreciated the lack of ego and the genuine desire on both sides to hear the concerns and explanations the other side was offering. (My experience is that you don't see that happen a lot in this industry.)
As a consumer, I love the features, and feel much more comfortable with the way this plugin works and the permissions required than the previous solution that required an additional 3rd party plugin - but that may have more to do with my lack of experience with web security BKMs.
I mean, at some point it is always a compromise between functionality, features and security.
It would be awesome if the plugin could search and show you the least expensive new release. :D
Enter "new" (without the quotation marks) in the Search Store box. Enter.
Click on the Show All box.
Sort by Price Low-High.
Awesome! Thanks! So simple, it would have never occured to me.
This 'compromise' is what causes an user to succumb to an attackers malicious intentions. There is a good article from IBM which highlight some of the top 10 vulnerabilities that attackers often use to exploit. You can read more about it here: https://www.ibm.com/developerworks/library/se-owasptop10/. You can also get more details from the official OWASP project at https://www.owasp.org/.
It would be easy to imagine how ads could be leveraged to implement those exploits and how sinister a simple looking image on the edge of a webpage can become if rendered from an external site.
If a breach is caused by an ad/external content that Daz has placed on their site, it would be their responsibility. But if a breach is caused by a browser extension that does the same behavior, I believe, it would be the users responsibility.
Please note that no images are served from external sites using this addon.
My observation is a bit different when I enable the price history and null-route 'civilizationhunt.com'
When I do a "View frame source" on top of that unloaded content I get this on the URL: view-source:https://civilizationhunt.com/ds/pricechart.php?sku=36149&ea=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca491b7852b855&pa=undefined&l=true
It seems more than necessary information is being passed on to an external site than that is required for rendering the price history. Wouldn't the SKU been just enough?
What worries me more is that the information that is passed is encrypted, so as a enduser one cannot view its contents to see if any confidential information is at risk here..
Please do take the time to explore further.
What you can immediately see when examining the source code of the page, is that it's not an image, but an isolated iframe, so you can immediately see that anything in there is prohibited from interacting with the parent page. The browser blocks any such attempts. There is no way around that. Please take another look at the example I sent you in private message yesterday, and examine the error messages in your console when any interaction with the parent page is initiated from such iframes.
Merely relying upon the browser's iframe implementation is not a sufficient security measure that would ensure the integrity when loading content from external site. Besides there is another issue that I have highlighted ion my previous post.
I have already responded to your PM and informed you that I would not be detailing out any exploits that could potentially be used to bypass the browser security implementation. I need to ensure that if any breach happens in future, I am not an accomplice to it.
Please see my post above about what the features of the pricechart are. After you read that, come back to this comment, and I'll explain every parameter that is being sent.
sku = this is the sku of the item that you are viewing. This is necessary to display the chart for the correct item.
l = can have values of true, false or undefined. When set to true, the chart will display the longer timeframe. When set to false or not set (undefined), the chart will display the shorter timeframe. This is an option you can set in the addon options page.
ea and pa are used to identify you! Yes! We will know exactly that it is YOU who is displaying that chart! These are the data that you enter on the options page of the addon. If you do not sign up for email notifications, or do not enter those login details here, then you will see pa as undefined, and ea as the enrcypted version of the word "undefined". Of course, in this case, you will not be able to set individual notifications. Why is this information being sent? Because the isolated iframe has no way of interacting with the parent for security reasons. And you can set personalized, individual notifications. Without knowing who to set the notification for, there would be no way to set it. And without knowing who is viewing the chart, there would be no way to display to you what individual notification you have already set.
Okay, but why is that encrypted? For security reasons. Anyone monitoring your network traffic can see the URLs you visit. If we did not encrypt that piece of information, an attacker would be able to see that. So we encrypt it.
Okay, okay, but how can I be sure that it's only this, and I'm not actually sending all of my daz details? Luckily, the addon is open-source, so you can actually see for yourself! You can examine every line of code, every single character that is running in your browser, to make sure you are totally comfortable with it.
I don't remember ever signing up for notifications either through the add-on or through the 'civilizationhunt.com' site. I still do not see why personalized information is necessary to render a price history chart. If it is for the period/range then you could have just sent the range as another parameter in plain text. The user information that you have mentioned should have been sent only while submitting the form in the notification tab. Why is that required while displaying the price chart?
EDIT: Maybe you want to post a link to the source code of the addon if you say its open-source. Perhaps create a public source repository in Github if its not already there. I could not find the location of the source code either in chrome webstore add-on description or on page 1 of this thread.
If you don't trust the security measures in your browser, then that's a different issue, and in that sense, there is nothing I can do to help.
Not trusting your browser would mean not visiting any websites, since you can never know which site has malicious code on it that will bypass your browser's security measures and start logging your every keystroke, or send every cookie you have on your computer, or even send every saved password to an attacker.
Not trusting your browser would mean never entering your credit card information because you can never be sure that the encryption is not broken.
Not trusting your browser would mean never reading any of your emails because logging in to your email account, even over a secure connection, might not be secure enough. The browser's implementation of the encríption may be compromised, and others may access your emails. So you rely on an email program, but who can be sure that that email program's security measures are not bypassed?
Based on what I wrote in my message you quoted:
"If you do not sign up for email notifications, or do not enter those login details here, then you will see pa as undefined, and ea as the enrcypted version of the word "undefined". Of course, in this case, you will not be able to set individual notifications."
if you did not sign up for the notifications, then you will see that there is no user information being sent at all, only the word "undefined" and the encryptred version of the word "undefined", since in that case we have no way of knowing any such user information.
I could show you one source code, and install something completely different on your computer. The best way is always to check the version that is actually on your computer.
I just googled the following page, I don't know if the method described works or not. If it doesn't work, or you are not comfortable with viewing the source code this way, please feel free to do a search on google, or any other search engine, to see how you can access the source codes of the addons you have installed. http://www.howtogeek.com/198964/how-to-view-the-source-code-of-a-chrome-extension/
Could you please focus your response on the text marked in bold in the previous post. I hear that you are sending the information even if it is "undefined" but WHY is it required for the price chart? WHY you need to identify the user who is asking for the price chart?
I am asking these question because the encrypted data could potentially be used as a payload to pass sensitive information.