Every once and a while any good security professional gets reminded of just how pervasive you have to let your security paranoia be when designing tools and systems.
Case in point, we discovered a minor issue in the tool we created to do Xbox LIVE complaint enforcements. It caused the tool UI to hang when displaying profile field complaints. Gamertags and everything else was humming along just fine. We were kind of scratching our heads over it.
Without going into too much detail on architecture, the tool has a UI component that renders complaint data to our agents so they can review it, and an enforcement component that enforces the decisions. I designed these to be separate since the UI component for profiles and gamertags is basically taking in a complaint stream consisting of a large amount of user created data.
Granted, that data is text only, but my theory was that if anything happened on the UI side, it would be isolated to that side only. The enforcement engine is on a completely different machine and only accepts set limited non-variable input. The UI is rendered for low rights IE 7 and the agents process the complaints on restricted user accounts on Vista. The entire toolset is also isolated from the LIVE service itself.
Yay for me.
Until someone put script in their Bio field and someone else complained about it. The UI design hit script where it didn’t expect to see it and halted. [EDIT: since I got asked, no the script was not malicious in nature, it was just a simple display of a bad word]
Thankfully it only caused our UI for profiles to hang until we (quickly) figured it out. This was a good "Fail safe". It didn’t interrupt enforcements or represent any threat at all to the service since the enforcement tools are totally isolated from the LIVE service, but when we discovered the problem boy was my face red. How many times have I dealt with issues involving trusting input to let something like this happen. Michael Howard would point at me right now and laugh.
So here’s a case where overall design took into account best practices (I knew to isolate variable user generated input) but I only trusted myself to think about the threat model and didn’t define specifically what bad input would consist of. I got a little intellectually lazy, but thankfully thanks to design this wasn’t a threat of any type other than an annoyance. Let that be the lesson I was reminded of so you don’t have to be!
(and yes we now vet the data stream for a variety of nasty text bits)