Services like Posterous have changed the way Internet users post information about themselves, their likes, and their dislikes. Posterous follows a very simple model.
A user simply needs to send an email to email@example.com and they can attach files, such as music that they like, and post it to their personal page. Its very easy to use. You can literally create your own page with a single email. Posterous has already chalked up thousands of avid users.
The goal of this article is to highlight how a service like Posterous needs to harden itself against misuse by malicious individuals and groups. We will be exploring some of the potential loopholes of the posterous model. We will not be discussing or revealing any exploit code.
Exploring this facet of services like Posterous helps uncover the various attack surfaces that malicious entities can use to compromise such an excellent service. Through this exercise, perhaps we can help services like Posterous improve upon their existing architecture.
We will use the following metrics to determine the safety of Posterous’s current service.
Before we proceed, we will outline how the experiment was set up. A new account was set up using an email sent to Posterous (by new account, we imply a new blog post, not a registered user account).
Once the blog post was created we analyzed the it to see if the content in the outgoing email to Posterous was actually present in the blog post. If the content was in the post, we analyzed it to see whether it was modified or not. The experiment was conducted on Friday, July 9, 2010.
Now we will describe the results of some of the tests that we conducted.
Note: No malicious content (iframes, scripts, binaries) was ever uploaded to the blog during testing.
We have seen that there are some attack vectors which malicious entities could employ against services like Posterous as a tool to spread malware: primarily, the use of iframes and malicious links.
Even if Posterous begins to pre-filter links, as we have shown in a previous article (Analyzing URL Shorteners), these services are a thorn in the side of security policies. Unfortunately, as each new service like Posterous comes to life on the Internet, so do new attack vectors for malicious entities.
Till next time…
Update: Gary Tan from Posterous was kind enough to swiftly reply back to our questions and provide good information (Monday, July 12, 2010). Our findings have been updated appropriately.