No internet connection
  1. Home
  2. Issues

Error in the personal data export JSON

By Nicola Larosa @teknico
    2021-03-13 11:22:33.318Z

    When exporting personal data from the Preferences page, the downloaded JSON begins with a spurious line containing:

    )]}',
    
    Solved in post #2, click to view
    • 2 replies
    1. KajMagnus @KajMagnus2021-03-13 19:33:04.333Z2021-03-13 19:40:43.633Z

      It's a security thing that prevents the JSON from being parsed as Javascript — so a malicious external website cannot load people's private JSON via JSONP, see:

      JSON Vulnerability Protection
      https://docs.angularjs.org/api/ng/service/$http#json-vulnerability-protection

      The malicious party website, would try to send a cross-site request forgery request via a <script> tag, and rely on a weird Javascript feature: The Array constructor can be changed to something else. Here are details:

      http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx

      They link to a blog post describing how Gmail got hacked in that way, 15 years ago: "... discovered a vulnerability in GMail where it became trivial to compromise someone's email contact list ..."
      https://blog.jeremiahgrossman.com/2006/01/advanced-web-attack-techniques-using.html

      ***

      Talkyard's Javascript code removes the ")]}'," prefix before parsing the JSON.

      However, if you access the JSON from the same domain (same origin), then that prefix actually shouldn't be needed. But it's there anyway.

      Reply1 LikeSolution
      1. KajMagnus @KajMagnus2021-04-09 12:03:58.856Z2021-04-09 12:10:09.765Z

        Update: Newer Talkyard versions might add )]}', only if the API response returns an array (but not an object).

        Details:

        The exploit works by modifying the array constructor so it becomes a statement, but that works only if an array is returned as the top level thing. So, the )]}' isn't needed if returning an object.

        From the haacked article:

        Mitigations
        One common mitigation is to make sure that your JSON service always returns its response as a non-array JSON object. For example, with ASP .NET Ajax script services, they always append a “d” property to the response [...]

        { “d” : [“bankaccountnumber”, “$1234.56”] }

        Because this is not a valid JavaScript statement, it cannot be parsed and instantiated as a new object in JavaScript. This therefore prevents the cross-site scripting attack from accessing data from AJAX JSON services on other domains.

        (I'm changing this, because I think it's annoying with )]}' when looking in Dev Tools)

        (I marked my previous reply as the answer)