ourbunny is a one man software development shop.

October 27, 2013 at 5:01pm

0 notes

Bunny Droppings on Slide Me →

Bunny Droppings is now available on the SlideMe app store.

October 20, 2013 at 2:27pm

0 notes

Bunny Droppings Release

Last week I released my latest game for Android, Bunny Droppings. It is free, ad-supported (no in app purchases or anything), and available on the Google Play store.

Clumsy Mr. Bunny tripped over the wrong switch in the carrot factory with his big feet. Help him collect as many carrots as possible to fix the mess he made.

May 19, 2013 at 10:29pm

0 notes

PhotoGrabber Security

TLDR: Upgrade to the latest version of PhotoGrabber. Potential security vulnerabilities were discovered in previous versions and the latest (2.100) fixes them.

Login Page

The Facebook Authentication process begins by directing the user to the Facebook Login dialog over HTTPS, like so:

GET /dialog/oauth?client_id={app-id}&redirect_uri=http://example.com/cb
HOST: www.facebook.com

Facebook then redirects the user to the application’s redirect URI, including an authentication token RFC 6749 in the fragment identifier portion of the URL:

HTTP/1.1 302 Found
Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA

This response is encrypted; the token is protected. The user’s browser then issues the following request to the callback URL (unencrypted):

GET /cb HTTP/1.1
Host: example.com

Notice that the access_token is not included? The fragment identifier portion of a URL is only used on the client side. The application hosted at example.com/cb can now use JavaScript to parse the token from the fragement identifier and make Graph API requests (over HTTPS) to graph.facebook.com.

So the token is not sent over the wire unencrypted, everything is secure right? Wrong. There are 2 problems:

1) Any JavaScript directly included on the example.com/cb page will have access to the window.location.hash variable, which contains the access token and is necessary for the application to function. But if you include JavaScript on the callback page that is hosted on another domain, such as Google Ads or a CDN hosted JavaScript library, then that token can be stolen and used by those domains.

2) Since the callback URI (in this example) is HTTP, a man-in-the-middle could inject custom JavaScript into the callback page to steal the access token.

With this in mind, the PhotoGrabber callback URL now uses HTTPS and does not contain any third party JavaScript or Google Ads.


Another security win in this version of PhotoGrabber is the use of the requests library. I realized that older versions of PhotoGrabber did not actually validate SSL certificates due to the way HTTP requests were made, making them vulnerable to a man-in-the-middle attacks. The requests module fixes this problem and is generally much more pleasant to work with than urllib2.

One problem I encountered when packaging a binary for PhotoGrabber was the inclusion of the root certificate authority certificates. I found it unfortunate that the requests library does not use the operating system certificate store on Windows or OSX, forcing me to modify the packaging script to manually include the root certificate files bundled with requests (the same root certificates that are bundled with Firefox).

An extra side effect of the requests library is that proxy settings can theoretically now be set with environmental variables. I have not tested this on the release builds, but I successfully used this feature during development to inspect application traffic using a burp proxy.


0 notes

PhotoGrabber Changes

On 25 April 2013 I released version 2.100 of PhotoGrabber. This update represents almost exactly a year of effort and a near-complete rewrite, so I feel an explanation of the changes and my motivations are warranted.

Graph API

The original goal for the fork/rewrite was to use Facebook’s Graph API. This seemed like a better choice than FQL for receiving long-term support from Facebook (who’s API changes have been a source of many headaches). It also allows me to directly save the JSON from the Graph API to a file for the HTML metadata viewers. This should make it easier for those developing custom viewers. Finally, the Graph API (on paper) makes paginating through data easier. Of course, the devil is in the details. When requesting tagged photos, the Graph API does not include album information for the photo, so it turned out that I still needed FQL.

And on the subject of pagination, I did many tests to optimize the number of records to retrieve (length parameter) per request. I developed what I now call the George Takei Test. His timeline has many of thousands of photos, each with thousands of likes and comments. This photo of a bridge that casts penis shaped shadows has over 100K likes and 80K comments.

I found that the Graph API consistently returns an undocumented error when requesting non-default values of length on such high activity posts. Consequently, I reverted to the defaults. (As a side note, PhotoGrabber still fails my George Takei Test - my laptop ran out of RAM before all photo metadata could be retrieved…)


The early versions of PhotoGrabber used wxPython for the GUI. I switched to Tkinter as it seemed easier to package with py2exe and py2app. Multiple copy/paste errors, file chooser internationalization issues, and general unattractiveness drove me to look for a better solution. I decided to try and give PySide a try. I’m not going back. The documentation is good, it uses native widgets, and ‘just works’.

Command Line

One of the low-priority feature requests that I decided to implements was a command line interface. This helped a lot when it came to testing. The CLI can list friends, pages, subscriptions, and albums. It can do everything the GUI can do, plus target specific albums. So if you want to setup a cronjob or do some other custom integration, the CLI is your friend.


I received multiple requests to be able to download tagged photos of people who are not friends with the user. I am somewhat skeptical of the intentions of such a feature… It has always been an easy fix, just a problem of integrating it into the GUI without obstructing UI flow. The new wizard GUI has a nice “Advanced” button that will let you type in a person or page name directly.

Folder Organization

Using Qt also offers much better i18n support. Whether your filesystem or the albums you wish to download require unicode characters, PhotoGrabber 2.100 has you covered. I also improved the way duplicate album names are handled by appending the album owner name to the folder. This helps a lot when you are tagged in multiple “Profile Picture” albums.

That pretty much covers it in terms of functional features for version 2.100. My next post will go into detail on security improvements.

May 11, 2013 at 2:55pm

0 notes

PhotoGrabber 2.100 Release

On 25 April I released version 2.100 of PhotoGrabber along with a new project website. Just passed the 4000 downloads mark on this version. A follow up post containing details of the release will be made shortly.