Friday, August 20, 2010

Emerald viewer's login page used as a Denial of Service Attack [Update: Emerald Devs Apologize]

Graphic representation of ddos attack by a giant hand coming down a building marked .com
I have been getting reports that the Emerald Viewer had been using their login page to perform a Denial of Service Attack on . Why they did this is unclear to us now, but it looks like some geek drama at its core that has been going on for some while.

If you look at the source of the google chache of their login page from august 9th you can see that they use a 1px iframe to pull about 20 dynamic page and a dozen images from the site, just to put high load on the targets server.

What is important to note is that they used every Emerald user to participated in this attack. All a Emerald user had to do was just login in the Emerald viewer to be a unsuspecting vector of attack towards . A attack like this results in the target page to become unresponsive, and have massive amounts of bandwidth and cpu cycles wasted. And it should be noted that a Denial of Service attack is a violation of the law in many countries.

From wikipedia: Denial-of-service attacks are considered violations of the IAB's Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations.

This should bring up serious doubts to use this viewer if you do, and if you should trust them with your password and to 'do no evil'. I rather forgo the nifty features in Emerald than support behaviour like this.

Update: The Emerald Devs apologize, but it shows a culture of ego boosting that skews the sense of right and wrong.
Two weeks ago, amid an atmosphere of pride and boasting about Emerald traffic, a silly idea was hatched.

This idea was to target a blog owned by a creator of a malicious viewer, and boast of the traffic Emerald has captured. The method for doing this was to add links to the Emerald log in page linked to said blog. Each time anyone logged in, our page loaded up and also the other page loaded up – simply to show off our volume of traffic.

This was not a DDoS. This was a poor attempt at boasting that failed miserably. Once we discovered this, these links were deleted and the dev concerned was disciplined.

The entire Emerald Team offers it’s sincere apologies for concern, panic, worry, mistrust and disappointment felt by our users because of this. I can most strongly assure you that this will not happen again.


The Emerald Dev Team
This apology doesn't make much sense, they wanted to "boast of the traffice Emerald had captured" by sticking 30 links to In no way does this show off their traffic, it sends a thirty fold of their traffic to a random site. If they want to boast their traffic why not make their Stats public.

Even if the site owner it self is making a malicious viewer, it is in incredibly poor taste to use your entire userbase to perform a DDoS attack on it. One crime does not cancel out the other.

Picture of source view of page  
Google cache of Emerald Login page(click only if you want to confirm for yourself)
Denial of service attack
SLU post by site owner
Apology by Emerald Devs