I embedded myself in Afghanistan last week to write an exposé for the Alligator. My adventures in Kabul were thrilling and, at times, dangerous. I would have felt honored being the first UF student to report from a war zone — if the entire trip weren’t a ruse.
Actually, I tinkered with the code Facebook uses to pinpoint people’s locations, which let me “check in” from overseas. The check-ins, coupled with fake images and Wikipedia facts, made my friends think I was in one of the world’s most dangerous regions.
In this column, I’ll explain why I faked the check-in, and I’ll explore a security issue that relates to a February cyberattack against UF students.
First, I’m not a security expert. I’m just a programmer who tries to learn enough to secure his own apps. I wondered how easily I could fake a check-in because my website, www.geopackages.com, uses a similar technology to locate people. Geopackages is a storytelling tool that lets UF students drop virtual packages full of photos and notes on campus. When you travel to fetch a package near Century Tower, for example, you unlock the memories inside it.
To promote this just-for-fun project, I planned to organize an event in which students raced to claim a far-away package. Yet, before introducing a modest cash prize, I needed to know if anyone could teleport himself or herself to the finish line.
The Facebook experiment shows this can be accomplished simply and legally using browser plug-ins: Geolocater and User Agent Switcher. The first helped position me at the Kabul Serena Hotel while the second made Facebook think my laptop was an iPhone.
Eager to continue the prank, I uploaded a picture of my girlfriend in an Indian restaurant in Gainesville. After searching Wikipedia for a popular Afghan dish, I typed, “Caitlin tries kichiri for the first time.”
That’s when the phone rang. “You better be f------ kidding me,” my mom said, laughing. I explained the prank in private because I didn’t want to worry her, but I asked that she pretend I had traveled overseas as a journalist.
By then, some of my most tech-savvy friends believed I was in a war zone. A few called me a “bad a--,” a compliment that was probably unwarranted for a man who was eating a blueberry scone in Starbucks.
Students who aren’t technologically inclined may wonder why this prank can’t be thwarted. To understand the security issue behind the scenes, consider the metaphor of a sushi bar.
You fill out an order slip and hand it to your waiter, who delivers it to the kitchen. A chef then sends back the appropriate meal. Programmers would call the form a “front end” and the kitchen a “back end,” representing computers that process your requests.
Customers who are out of the kitchen staff’s view can tamper with the form. Computers are not always as perceptive as humans when it comes to noticing strange requests. To make matters more complicated, your waiter may be an impostor.
This was the case in February, when an attacker sent an email aimed at stealing UF students’ information. The attacker tried to dupe them into typing their passwords into a form that led to the wrong back end, according to a notice from UF Information Technology.
Because the front end is untrustworthy, the kitchen must have a way of verifying your order, so to speak. As of now, there’s no foolproof way for a website’s servers — the back end — to verify that someone hasn’t altered a location reported by the front end by a browser such as Firefox.
In a world where attackers try to exploit vulnerabilities, it’s nice to know loopholes can help us perform lighthearted magic.
As if protecting our personal info weren’t enough, learning about security grants us the superpower of teleporting from Gainesville to a Middle Eastern palace in the blink of an eye.
Cody Romano is a UF public relations senior. His columns appear Thursdays.
