• Is Posterous’ Posting Policy Secure?

    Services like Posterous have changed the way Internet users post information about themselves, their likes, and their dislikes. Posterous follows a very simple model.

    A user simply needs to send an email to post@posterous.com and they can attach files, such as music that they like, and post it to their personal page. Its very easy to use. You can literally create your own page with a single email. Posterous has already chalked up thousands of avid users.

    Motivation
    The goal of this article is to highlight how a service like Posterous needs to harden itself against misuse by malicious individuals and groups. We will be exploring some of the potential loopholes of the posterous model. We will not be discussing or revealing any exploit code.

    Exploring this facet of services like Posterous helps uncover the various attack surfaces that malicious entities can use to compromise such an excellent service. Through this exercise, perhaps we can help services like Posterous improve upon their existing architecture.

    Methodology
    We will use the following metrics to determine the safety of Posterous’s current service.

    1. Can we post with an email where the originating server IP does not match the sender’s domain?
    2. Can we post a malicious link (hyperlink)?
    3. Can we post a malicious iframe?
    4. Can we post a malicious script?
    5. Can we post a malicious binary?

    Before we proceed, we will outline how the experiment was set up. A new account was set up using an email sent to Posterous (by new account, we imply a new blog post, not a registered user account).

    Once the blog post was created we analyzed the it to see if the content in the outgoing email to Posterous was actually present in the blog post. If the content was in the post, we analyzed it to see whether it was modified or not. The experiment was conducted on Friday, July 9, 2010.

    Analysis
    Now we will describe the results of some of the tests that we conducted.

    1. Can we post with an email where the originating server IP does not match the sender’s domain? Yes
    2. Can we post a malicious link (hyperlink)? Yes and No
      • For unregistered accounts, it seems that a hyperlink is prefaced with http://emailusername-kb3zz.posterous.com/ so a malicious link will not be triggered.
      • For registered accounts, it seems you can put up links without this prefix. We have confirmed posting of malicious links with examples from Malware Patrol, Google’s Safe Browsing List and others.
      • Update: Gary Tan from Posterous let us know that they are using link pre-filtering and will be expanding their capabilities by incorporating more lists. This is good to hear.
    3. Can we post a malicious iframe? Yes
      In fact an iframe can be posted from non-registered mode. This is a mechanism that a bad guy might try to exploit (screenshot attached below, of course, its a benign iframe).

      • Update: Gary Tan from Posterous let us know that they prevent iframe posts from taking up the full page by sanitizing size attributes, mitigating the main problem with iframes.
    4. Can we post a malicious script? No
      Posterous scrubs scripts attached to the email and does not let them post to the blog. It remains to be seen though, if any malicious encoding would allow a script get through.
    5. Can we post a malicious binary? Not tested

    Note: No malicious content (iframes, scripts, binaries) was ever uploaded to the blog during testing.

    Conclusions
    We have seen that there are some attack vectors which malicious entities could employ against services like Posterous as a tool to spread malware: primarily, the use of iframes and malicious links.

    Even if Posterous begins to pre-filter links, as we have shown in a previous article (Analyzing URL Shorteners), these services are a thorn in the side of security policies. Unfortunately, as each new service like Posterous comes to life on the Internet, so do new attack vectors for malicious entities.

    Till next time…

    Update: Gary Tan from Posterous was kind enough to swiftly reply back to our questions and provide good information (Monday, July 12, 2010). Our findings have been updated appropriately.