All posts by Shaun A. Noordin

Web Developer Internship – Oxford 2022

The Zooniverse team in Oxford, UK, is looking for a web developer intern to join us in summer 2022. If you’re looking to learn how to build websites and apps with a team of friendly developers, or if you just want an opportunity to flex your extant coding skills in an environment that loves scientific curiosity, then come have some tea with us!

The team here in the Zooniverse want to welcome more folks into the world of software development, and in turn, we want to learn from the unique ideas and experiences you can share.

You can find the full job details at https://jobs.zooniverse.org/#oxford-web-developer-internship . Note that you don’t need any existing software development skills to apply, just a genuine interest in learning.

Happy Year of the Tiger!

The 1st of February marked the start of Chinese New Year/Lunar New Year celebrations, so we here at the Zooniverse team wanted to wish everyone a happy and prosperous Year of the Tiger!

This year, we’d like to share a fun side project one of our developers (Shaun) created for the Chinese New Year: a small video game where you try to lead a big striped cat to an exit with a laser pointer. While the Zooniverse team takes our scientific work very seriously, we also enjoy doing some really goofy stuff in our free time.

Chinese New Year 2022 - Year of the Tiger greeting card. A man, in a Chinese New Year outfit, is distracting a tiger with a laser pointer. A woman, in the back, attempts to save some vases from being broken. Links to the CNY game-card at https://shaunanoordin.com/cny2022/
Disclaimer: please don’t try to actually play laser tag with real life tigers. šŸ…

šŸŽ® Play online at https://shaunanoordin.github.io/cny2022/ or at https://shaunanoordin.com/cny2022/ on any modern web browser.

If you too enjoy programming video games, you can take a look at the source code at https://github.com/shaunanoordin/cny2022 . And hey, if you just enjoy programming in general, be sure to check out https://github.com/zooniverse/ to see what the developers are doing to create a better Zooniverse experience.

Gong Xi Fa Cai (ę­å–œē™¼č²”) everyone, and thanks for being part of the Zooniverse! āœØ

Fixed Cross-Site Scripting Vulnerability on Project Page’s External Links

We recently fixed a security vulnerability that existed in the external/social links (e.g. to Twitter) of projects. Prior to this fix, it was possible for project owners to do two things: 1. create external links that ran malicious JavaScript code if they were clicked (e.g. allowing attackers to capture a user’s login session), and 2. create a link to a malicious website disguised as a “legitimate” link to a known Social website (e.g. a Twitter link that actually directed users to the spoof website “twiitteerrer.com”). Our patches fix both issues, and a follow up investigation revealed that there is no indication this vulnerability was exploited by anyone.

The security issue was discovered on 11 Dec 2018 during an internal security check. The first patch in the series (addressing the major JavaScript injection vulnerability) was deployed within 6 hours, and the final patch (addressing the relatively less harmful issue of spoof-able social links) deployed 2 days later.

The fixes for this vulnerability are contained in pull requests #5141, #5142, and #5148 of the Panoptes Front End project on GitHub. Anyone running their own hosted copy of this should pull these changes as soon as possible.

Additional notes on our investigation are as follows:

  • The vulnerability was introduced on 14 May 2015, in pull request 324.
  • Custom links for projects and organisations allowed project builders to cause a user’s browser to execute arbitrary javascript by entering URLs like javascript: alert('oh no'); if the user clicked on that link, the javascript would run.
  • Malicious javascript executed this way could do whatever it wanted on the site, i.e. it could have stolen logged-in users’ API tokens, logged users out and captured their passwords when re-logging in.
  • Theoretically, passwords may have been have been exposed if malicious Javascript captured them on login, though this would only impact users that click malicious links. Emails may have been exposed, notably if an admin user account was breached.
  • However, we audited the database but could find no evidence (other than our own tests) of this having been done by project owners.
  • Our current solution is to sanitise all external/social links – both when taking input from users and when rendering them on webpages – and only allowing standard website URLs to pass.

As a side effect of our fixes, project owners are now unable to add non-standard website URLs to their project’s external links – for example, https://example.com continues to work fine, but mailto:hello@example.com no longer does.

We apologise for any concern this issue may have caused.