Css hacks

I was just reminded of some css attacks that I had used just toying around. I was reminded because an update came across my rss feeds – yammer updated it’s Adobe Air client.

This started when we started using yammer for inter-office communications among the programmers. Of course we had one who always tested the bounds of security, not for anything illegal, but for an excercise. He instantly started to try and find holes with yammer. I can’t remember specifics, but I think he started with script injection attacks. He of course was met with opposition by yammer’s filtering.

My interest was peaked. The first thing I did was try adding a script tag. That was filtered, good yammer. Then adding css to change the page layout and hide logos. Aha! Injecting a style tag worked. At least it worked through the Air client. Now what to do from here?

How about injecting my own scripts from css content property? This obvious hack seemed to work. I made a publicly accessible script and and added a script tag to the yammer page via css content property. The script was simple, it just changed some of the text and animated some items around. It didn’t work on all browsers though. It was enough to get a response from some of the guys yelling, “Hey! What happenned to Yammer?”.

It was an interesting experiment. The hack took about 5 minutes mostly that long because of finding a public spot to host the javascript from. The code for the hack was: #some_unique_id:after { content: '<script src="myscript.js"></script>'}

This was on a Friday afternoon. I removed the posts from Yammer so they wouldn’t disturb the rest of our users anymore, or the global feed that is probably on a big screen somewhere in the Yammer offices.

Come Monday, I login to my system, Yammer starts up and voila! It has an update for the Air client. And wouldn’t you know, the css hack is no longer viable. These guys were on top of it. Also another reason I think they have a global feed running in their office.

Technorati: css hack software