Saturday, December 07, 2013

Security breach at Myntra.com exposes customer's personal information, order history and more

Update (added on 3 Dec 2013): Based on my feedback Myntra.com has now setup security@myntra.com for reporting security issues and a Responsible Disclosure Policy page. Kudos to them for taking the first step towards a better responsible disclosure process and setting an example for other Indian companies.

Last week a bug on Myntra.com let anyone with an account take over random customer accounts and highlighted the lack of responsible disclosure processes among Indian companies.

On 28th November (2013), Myntra.com held a 3-hour (8-11pm) invite only Winter Sale event where a few select customers got an additional 31% off on all orders above a certain amount.

I was one of those customers and decide to login to my Myntra account to see the coupon, except I had forgotten my Myntra account password. So I went ahead and put in my email address and clicked on the forgot password link. As expected I got an email with instructions, to click on a link to set a new password. What happened next was very scary.




I clicked on the link and landed on the page on Myntra.com to set a new password but instead of my email address I saw someone else's email address pre-filled in the form. Curious to see what would happen, I went ahead and put in a new password and lo and behold, Myntra.com had let me take over another customer's account. 




To see if this was repeatable, I went through the forgot password flow again and just like before it had another random customer's email address pre-filled in the form and let me take over that customer's account.




HOLY SHIT. Myntra.com just let me take over two customer accounts. No fancy hacks, just a scary little bug that presented other Myntra customer accounts to me on a platter.

So the first thing I did was see if I could find anything on Myntra.com about responsible disclosure or a security contact but found nothing. So I sent an email to security@myntra.com and it promptly bounced with the message "The email account that you tried to reach is over quota".

Next I got in touch with them on Twitter and 13 hours later someone got in touch with me, 16 hours later I was speaking to a Tech Lead from Myntra.com and 9 days later I have confirmation from them that they have fixed the bug and put measures into place to ensure this doesn't happen again.

Note (added on 8 Dec 2013): The bug was fixed on the same day I reported it and the 9 days mentioned above includes time they took to monitor the fix and the Tech Lead at Myntra.com and me having issues around coordinating the final confirmation phone call.

I don't know how long this bug was live and how many customers accounts were affected but if your account was one of the affected ones, it means someone had COMPLETE access to your account, your personal details like your address and phone number, your order history, your myntra credit points, your saved payment details, your wishlist and your shopping cart.

Apart from the privacy concerns, the biggest threat that you need to protect yourself from, with a security breach like this is that it opens you up to Social Engineering Attacks where anyone with this privileged information can pretend to be from Myntra.com and use it for malicious purposes.

While a lot of people reading this will focus on Myntra, I think it's important to focus on what this incident can teach us about the lack of Responsible Disclosure processes among Indian companies.

If you run an online service (and especially an ecommerce one) you MUST have a responsible disclosure process in place. The Open Web Application Security Project (OWASP) has a good primer on managing your security issue disclosure process. At a very basic level you should atleast have a security@ email address configured. Having a dedicated page for responsible disclosure on your website is an added bonus.

Here are some examples of good responsible disclosure pages to get you started:



Lastly, I think it's important for companies to be transparent and honest about security/data breaches. Hiding details about breaches from your customers makes them vulnerable to all kinds of attacks. Security/Data breaches happen all the time. The only way customers can protect themselves is by being informed.

Sunday, June 09, 2013

Really Simple Social Blogging

A proposal to implement a decentralized Tumblr/Facebook/Twitter like social blogging platform using simple things like WebMention and Microformats. This is based on some experiments I'm doing with Converspace on sandeep.io and was inspired by The First Federated #Indieweb Comment Thread.

Based on usage, it looks like I primarily do 4 things on sandeep.io:
  1. Post original content. This could be text (both short and long form), links, photos, videos, quotes, etc. (http://www.sandeep.io/19)
  2. Repost content from others I find interesting. (http://www.sandeep.io/36)
  3. Comment on content from others. (http://www.sandeep.io/32)
  4. Like content from others. (http://www.sandeep.io/33)

Turns out this is also broadly what you do on Tumblr, Twitter and Facebook:
  • Tumblr: blog, reblog, comment and like.
  • Twitter: tweet, retweet, reply and favorite.
  • Facebook: update status, share, comment and like.

So I set out to see how this could be done in a decentralized way across the #indieweb. A couple of experiments later, I think I have a simple solution for achieving this, using nothing more than simple things like WebMention and Microformats.

The "social" part of this is letting others know that you have done one of those 4 things listed above and especially the person whose content you've reposted, liked or commented on.

This is where WebMention comes. It's a simple way to let any URL on the web know that  you've linked to it on your site. The problem however is communicating the context in which the URL was mentioned:
  • Was it just mentioned in passing along with other content?
  • Was it's content reposted?
  • Was it liked?
  • Was it linked to by someone commenting on it?

Taking a cue from the the experimental u-in-reply-to microformat, I'm using the following experimental classnames for links within h-entry:

A target URL that receives a WebMention can retrieve the source URLs HTML content and look for the above Microformat classnames to figure out the context in which it was mentioned along with an h-card/p-author entry to figure out the person involved.

The target can then show:
  • Total number of likes along with the details of the people that liked it.
  • Total number of reposts along with the details of the people that reposted it.
  • Total number of mentions along with the URLs of the sites that mentioned it.
  • Comments along with the details of the people that commented on it.
See this in action here: Indieweb Federated "Likes".

An important part that is missing from the above is letting other people easily follow you and get updates when you post something on your site. A microformats based feed reader should solve that. Following someone also gives you the opportunity to send a WebMention to the profile URL of the person you followed which in turn allows that person to show a Follower count (using u-follow maybe) along with the details of the followers. I've yet to explore this but will be posting more details when I get to it and dogfood it.


Wishlist: A microformats search engine that crawls the web looking for microformats, especially h-card so I can search for people just like I can on silo social networks.

Here are some additional experimental classnames I'm considering but not yet using:
  • u-quote to be used when you quote text from a URL verbatim.
  • u-follow to be used when you follow/subscribe to a URL (usually a person)


Todo

  • A way to undo WebMentions (e.g., unlike) by deleting the source URL and sending a WebMention for which the target would receive a 404 in turn deleting the original WebMention. 
  • I'm also hoping to extend WebMention to allow for private access to URLs to only the people that were sent a WebMention.

Updates

08 June, 2013
  • Added h-card search wishlist.
09 June, 2013
  • Added attribution to the @eschnou's indieweb comment thread that was the first instance I know of that combined something like WebMention (Pingback) and Microformats to figure out context. It went beyond the simple rel="in-reply-to" suggestion made in WebMention and read h-cards.
  • Added note about sending WebMentions to user profile URLs. (rememberd to add this thanks to this tweet by @benwerd)
  • Added note about private access. (rememberd to add this thanks to this tweet by @benwerd)
  • Added list of other experimental classnames I'm considering.
10 June 2013
  • Created the Todo section and added note about undoing WebMentions.

See Also

Friday, June 07, 2013

Extracting machine tags (aka triple tags) from a string

Here's some working code to extract machine tags (aka triple tags) from a string. Possibly one of the ugliest regular expressions I've ever written.

References

Thursday, June 06, 2013

Does polling scale better than push?

For the sake of simplicity, given 10000 subscribers, 1 publisher and assuming resource required for serving 1 pull request is roughly equal to resource required for sending 1 push:
  • A hub that is pulled from every minute has to serve number of subscribers x 1440 requests per day, i.e., 10000 subscribers x 1440 requests per day irrespective of the number of updates.
  • A hub that pushes has to send (number of subscribers x number of updates) per publisher pushes per day   i.e., 10000 subscribers x number of updates x 1 publisher pushes per day, i.e., 10000 subscribers x number of updates pushes per day.
  • So that's 10000 x 1440 for pull and 10000 x number of updates for push.
  • Therefore, if number of updates per day is greater than 1440, a hub that pushes will require more resources than ones that is pulled from. 
  • More importantly, a hub that is pulled from will not require additional resources if the number of updates per day increases.

Would love to hear what you think (in the comments) especially if you think this might not be the case.

Notes

  • This assumes that >= 1 min latency is ok for your specific use-case.
  • Resource required for serving 1 pull request might not be equal to resource required for sending 1 push. Here are my notes for why, I would love to hear yours:
    • Given constant number of subscribers and publishers, a pull based system will experience a uniform load throughout while a push based system will experience load in bursts.
    • Push potentially uses less bandwidth though Pull can take advantage of caching.
    • Push has the overhead of subscribers not being available, keeping track of such subscribers and retrying several times. 
  • Proof by induction doesn't work because with push not every subscriber is subscribed to every publisher.


See PushHubPullSub

This was inspired by my notes on Push vs Pull on the IndieWebCamp wiki.

PushHubPullSub

publishers Push updates to a Hub and updates are Pulled by Subscribers from the hub.

PuSH (PubSubHubbub) is a good way to solve the publishers and hubs problems (offloading work and polling lots of sites respectively). The idea with PushHubPullSub is to simplify subscribers by having them poll the hub.

See Does polling scale better than push?

Update: Moved the Does polling scale better than push section to a blog post of it's own.

This was inspired by my notes on Push vs Pull on the IndieWebCamp wiki.

Friday, May 31, 2013

RecentChanges, a simple alternative to ActivityStreams

For updates watch: https://github.com/converspace/recentchanges

Some thoughts on representing updates to a site inspired by wiki style RecentChanges:
  • Every resource (URL) has a RecentChanges endpoint.
  • The RecentChanges endpoint at each level of the (URL) hierarchy aggregates all RecentChanges under it.
    • The RecentChanges endpoint of the site aggregates site-wide RecentChanges.
  • RecentChanges only requires/uses 4 verbs: Post, Respond, Update, Delete. (open to renaming these but the idea is that 4 verbs are enough)
  • Examples:
    • Sandeep Shetty posted Foobar. (new post)
    • Sandeep Shetty updated Foobar. (edited an existing post)
    • AnonymousOnPurpose responded to Foobar. (commented on a post - could even be a response to a specific comment)
    • Sandeep Shetty deleted Foobar. (deleted a post)

Monday, May 06, 2013

Thinking About Metadata

Some of my thoughts on tagging and metadata in Converspace:

  • Syntax over Interface: I prefer (from a user experience perspective) how tagging (and other meta-data like mentions, etc.) evolved on Twitter to be just syntax and became part of the content (without being obtrusive) with no special interface elements dedicated to them. This allows for the same interface to serve people that don't need them, and the ones that do. Invisible to the users that don't need it but yet, always there for people that need it.
  • Visible Metadata: My preference for tags being part of the content has the advantage of them being always visible (moves/hangs with the content). However, it also has the disadvantage of not being able to cleanly do things like private tags (like how Pinboard does with tags that start with a period. e.g., .secret_tag). One obvious advantage of private tags is that you can do stuff like what Selective Tweets does with the #fb tag, but without having a visible public tag: like this IFTTT receipe that crossposts Pinboard bookmarks to Twitter that have the .twitter private tag. For the specific use case of publishing workflows, I'm considering using (something I'm calling) local action tags (tags that start with &, e.g., &action_tag) that are ephemeral and consumed by the publishing workflow and not saved as part of the content. Action tags obviously cannot be interspersed with the content and will have to be added at the end. Still need to figure out how this will work when the publishing workflow is also adding machine tags at the end. 
Update (after sleeping over it): Won't be implementing actions tags (as described above) because of it's limited scope (especially when it comes to allowing third-parties to participate in the publishing workflow) and I'm on the fence about Machine/Triple tags.

Update (May 07, 2013):
  • Auto-tagging: Allow for the publishing workflow to automatically add tags (including Machine/Triple tags). This is hard when you don't have a separate tags property and only have one blob of text (content). For example, it might not make sense to add tags at the end of single-line post when it is missing an ending punctuation mark. To allow for auto-tagging, I came up with a syntax for trailing tags. Trailing tags are preceded by a blank line, starts with two spaces, followed by space-separated tags, followed by the end-of-string. e.g., "\n\n  #additional_tag1 #additional_tag2". Trailing tags can be added at the end of content if they do not exist or tags can be appended to existing ones. I chose this syntax for the following reasons:
    • When viewing the Markdown, trailing tags appear slightly indented, which visually separates them from the rest of the content.
    • AFAIK, it doesn't conflict with existing Markdown syntax. This makes it invisible when rendered by processors that don't support it.
Update (June 05, 2013):

  • Machine tags are invisible metadata: Machines tags provide context for "machines" and should be syndicated but not displayed.


See also:

Sunday, April 07, 2013

Grains vs Milk


"It's also important to consider the big picture when judging the suitability of various foods. It helps to tell stories about the food we eat, to think about narratives. Grains aren't just little morsels of protein, carbs, and fiber bred for our enjoyment. They are baby plant eggs. Those macronutrients are there to sustain the seed's growth and those micronutrients are there to protect it. They are the plant's lifeline to immortality. They are literally shaped by the hand of evolution to survive and ravage the digestive tract of the poor sap that swallows them and discourage further consumption. Grain is only food because we deemed it so. Dairy? Dairy is objectively, absolutely food. Its fat, protein, and carbs are there to be consumed, albeit by young cows, sheep, and goats. It's meant to spur growth, to pack on muscle and fat and weight. And yeah, eating dairy protein causes an insulin spike, but that can be useful if you know what you're doing." -- http://www.marksdailyapple.com/dairy-insulin/

Sunday, March 10, 2013

Habit Domino, the simplest habit-forming/habit-tracking android app that could possibly work

What started out as an audacious idea inspired by a death in the family, to build a game-like habit-forming/habit-tracking android app (codenamed World of Doers), got refined into the simplest habit-forming/habit-tracking app that could possibly work.

The basic premise of Habit Domino is that once you've committed to forming a habit, the simple act of recording the routine and visiting the app once a day, has a sort of domino effect, driven by awareness and emotion, that gets you to complete the routine consistently till it turns into a habit.

No Graphs. No Reminders. Just commit to forming the habit and visit the app once a day.

Just Enough

There is a point at which a solution is just enough to solve a problem. Anything less and it won't solve the problem and anything more will only add marginally utility.

This is especially important because customers usually assign a certain value to a solution and therefore, are willing to pay a certain amount for it. Adding more features doesn't necessarily mean they'll pay more. Strive instead to refine your ideas by removing stuff till you're left with just enough to solve the problem at hand.

Ambition is the side-effect of a finite (limited) mind

Since we have a finite (limited) mind we cannot possibly "see" things in their entirety. So we aggregate and summarize. Instead of seeing the journey that is someone's life, we focus on the destinations they're reached. It's little wonder then that we aspire to reach destinations instead of paying attention to the journey and price we pay to get to our destinations.

This post was inspired by Clayton Christensen's How Will You Measure Your Life? TEDxBoston talk from 2010 :

Thursday, January 24, 2013

Fiction

All memory is fiction. Facts are just part of the plot.

Explore

Almost all good things in life are stumbled upon (found), not reached. Explore.

Finishing

With yet another person in the family passing away, I find myself in that, by now, familiar zone of reflecting on all the things I haven't finished, that I want to, before I die. I imagine being told that I have 2 months to live. What would I do? What would I finish?

This state is very similar to the days leading up to a long vacation. The time when you're the most productive because you want to finish things so that you can get them out of the way and enjoy your vacation without worries.

I want to feel this way all the time. I want to always be dying finishing.

No Risk

Taking risks won't seem daunting if you don't think in terms of right or wrong. Make a choice and execute full-on.