disabling the family filter on Dailymotion for iPhone/iPad
The bigger implication however, is that injecting one cookie (family_filter=off) into your iPhone/iPad-application will fully disable the family filter for that client. This would be, I suspect, a violation of Apple App Store guidelines. Of course, if people do this for their own devices, nobody cares. However, this issue would allow a competent malicious third party (or a dedicated teenager ;)) to silently enable the viewing of adult material on a device that is expected to be family-safe.
Note that jailbreaking or similar hacks are not needed to exploit this issue. Hijacking traffic at the network level, or simply pointing the iPhone/iPad’s proxy configuration to a specifically prepared server, is enough.
(On a sidenote, the iPad/iPhone app uses an older REST API that does not conform to the current API docs and also does not use HTTPS, making this issue slightly easier to exploit).
Simple working example of such a specifically prepared server:
from twisted.web import server, resource from twisted.internet import reactor from twisted.python import log import sys log.startLogging(sys.stdout) class Simple(resource.Resource): isLeaf = True def render_GET(self, request): request.addCookie( "family_filter", "off", path="/", expires="Tue, 24-Jan-2012 22:26:22 GMT" ) return "{}" site = server.Site(Simple()) reactor.listenTCP(8080, site) reactor.run()
I doubt Dailymotion is the first or only iOS app that can be influenced by getting some cookies in. Will we see more of this?
Can you explain how to do this with steps??
Comment by Max — Aug 22, 2011 5:36:16 AM | # - re
Whats the process to go for this?
Comment by Viky — Aug 27, 2011 4:17:32 AM | # - re
Hi Max, Viky, (I think you’re the same person),
I have no intention to provide a step-by-step for someone who needs more information than is in the blog post above. Sorry about that :)
Comment by peter — Oct 22, 2011 6:33:01 PM | # - re