Bookmarklets on KA
More specific post on the issue here: https://support.khanacademy.org/hc/en-us/community/posts/360078070211-Lost-programs
I was recently contacted by -[XENONIC778]- about a malicious KA bookmarklet, something I predicted would eventually occur about a year ago and have been wary of since to the point of not making any KA bookmarklets which access the KA REST API even in beneficial ways. This KA bookmarklet allegedly gains access to a user's account and deletes all scratchpad objects (programs). The program housing the bookmarklet has since been deleted, so I wasn't able to inspect the code.
This is the first time this has happened, to my knowledge (if you know of any previous instances, please tell me so I can include them), but, the fact is, this is just the tip of the iceberg. Deleting projects is one thing, but many have alternate accounts or fans who have spun off their programs so they can retrieve at least some, especially the more significant ones. What would be worse? With a bookmarklet which gains access to a user's authentication token, a "hacker" could do potentially anything within the limits of the account. KA can't prevent this because the bookmarklet is activated within the domain, so CORS wouldn't stop it.
In addition to deleting all your projects, it wouldn't be very difficult at all for a bookmarklet to delete all of your discussion history. Even worse, it could create new content. This is what nobody has thought of yet. Assuming you have a typical user account, a bookmarklet could spam create inappropriate posts wherever they want. They could create horribly inappropriate programs, possibly releasing them on your subscription page as if you had done so, assuming you have "Sub" or a similar RegEx identifiable title and a clearly marked thread, and they haven't already deleted it. They could even have you send these posts and links to the spam projects to Guardians. The end result would be a quick ban, not only making you lose your programs, discussions, and more on Khan Academy, but also making it impossible for you to fix the damage for about two weeks at minimum, more if you have had previous moderation actions taken on your account, possibly permanently, and the Guardians aren't guaranteed to believe your story of a malicious bookmarklet doing it instead of you.
But even then it gets worse. Let's say this isn't just a little experiment. They want their bookmarklet to be spread to everyone. They can use your account now to vote up their program and flag every other program on the Hotlist. Soon the entire KACP community is seeing it, and a large number are downloading it, due to the positive comments the bookmarklet has forced your account to send.
Now let's say a Guardian sees this bookmarklet and doesn't realize it's malicious intent. I don't know Guardian protocol, so there's a good chance it'd never happen, but imagine if the Guardian downloaded the bookmarklet. The hacker now has access to instant bans, hiding programs, preventing their program from being flagged by Guardian approving it, and si much more.
You're probably worried at this point. These bookmarklet's can be VERY dangerous. But what's the solution? There are good bookmarklets as well as malicious ones. If KA prohibits all bookmarklets to stop the malicious ones, they are inhibiting growth in the web development community of KACP. So what's the answer?
Disallow bookmarklets. But wait, that's not all. In addition to preventing malicious bookmarklets, KA should encourage users to create beneficial ones. I've created bookmarklets before for basic automated user/webpage interaction beyond the session scope. When KA removed backgrounds, I created a bookmarklet to fix that for users who preferred an image. One of KA's most notable bookmarklets is Protonlet, created by Leviathan Programming, to allow a full screen program viewing experience and provide additional information for programs.
So how do we allow the good ones but disallow malicious ones? There aren't many bookmarklets being made at all. There simply aren't enough users interested. I propose KA adds another programming IDE for bookmarklets only. It could be as simple as an HTML format, or a little more advanced. What I imagine is a file for the bookmarklet code and an added file which would hold a short description for the bookmarklet including functionality and resources accessed.
The big difference between the Bookmarklet IDE and the current way users create bookmarklets is bookmarklet programs would be hidden by default and only accessible to the user, not even Guardians so there wouldn't be any worry for account security. When the user is finally finished with the bookmarklet, they can request it to be published, which would release it to the general KA communtity. Bookmarklets with publish requests would be reviewed by a small team of advanced web developers who understand frontend REST API (the KA REST API in particular), DOM, JS, etc. Because there aren't many bookmarklets created already, the review team could be very small. If a certain number of review team members okay the bookmarklet, it can be released. I say several to avoid situations where a member is friends with a bookmarklet creator and assumes their bookmarklet is safe without checking the code diligently.
A few details:
1. A member of the review team cannot review their own publish requests.
2. The review team would inspect code first, before any potential bookmarklet tests.
3. Criteria for the review team would need to be similar to that of Guardians, but also would include a need for greater programming knowledge.
4. Guardians would not, by default, be able to okay publish requests, but they could volunteer to be in the review team as well, which would give them the necessary permissions.
I'm aware this is a lot to ask, especially since the development team is currently working on the Go project (I'm actually learning Go right now so I can better appreciate the work their putting in; thank you so much!), so I'm not asking these requests be implemented right now, or even within this year. For now, disallowing all bookmarklets is the right decision. That being said, I hope the KA team seriously considers this idea and lets the KA user base know.
Thank you for making KA a better place!
Post is closed for comments.