Sunday, August 14, 2022

A Security Hole

In the '90s I was a QA tester at Macromedia, and one thing I tested was Shockwave. Shockwave was Macromedia's proprietary web browser plug-in for playing interactive multimedia. That was one of the very first plug-ins for Netscape Navigator (and for that matter, one of the first ActiveX controls for Internet Explorer, but let's not get bogged down).

One day we added a new feature to probe the keyboard, so you could figure out which keys were currently being held down. This is very useful for arcade-style games, when you need to know (for instance) if the left shift key and the left function key and the right control key are being held down at the same time. This was new; Shockwave couldn't do that before.

Anyway, I was assigned to test this thing. Which I did, and it passed with flying colors. It definitely worked as advertised. So it was included in the next rev of the plug-in / ActiveX control.

But at some point, after we had already shipped the feature, something nagged at me. I had a worrisome thought that maybe I missed something big.

So I came to work and verified my fear -- any piece of Shockwave content currently running in your web browser was capable of probing the keyboard even if the keyboard focus was somewhere else.

This meant that your little Shockwave game where you click on the kittens (or whatever) could be a nefarious keylogger, capturing everything you typed anywhere in the browser, whether that window had the current focus or not.

I was, of course, horrified that I missed this huge, gaping security hole. So I reported the issue immediately. And then engineering asked me for a user scenario to illustrate how bad it really was. In other words, they needed an explanation as to how a keylogger could pose a problem for our users.

Eventually I managed to convince management that this bug had to be fixed ASAP. So they threw some engineering time at it, and the fix got merged into the codebase. But there it languished, because they decided to roll it out with the next scheduled update.

For weeks I arrived at work each morning, checking the external mailing lists to see if any of our customers had noticed the aforementioned huge, gaping security hole.

Eventually, I saw one post from a user who noticed the situation but hadn't grasped its security implications. And when no other user replied to that message, it seemed to disappear with only a shrug.

I think we shipped a dot release about a week later, which included the bugfix. And then I could finally relax about it.

No comments:

Post a Comment