Skip to main content

Genius annotator putting people at risk, researcher says

The web annotator, Genius, is putting its users at risk by undermining a couple of old, but very functional security measures. That is according to New York-based software developer Vijith Assar, who consequently built Genius Defender, a tool made to block the Genius annotator.

The annotator is a simple tool – it allows its users to leave comments on specific parts of a website. Users would first add as a prefix to any URL. The tool's server would read the information from the website supplied, and load up 'hybrid content', including few extra scripts and highligted passages.

So, what seems to be the problem with it? Well, apparently the tool removes the original page's Content Security Policy, putting people at risk of, for example, cross-site scripting (XSS), allowing attackers to execute malicious code.

“This meant that anyone who viewed a page with annotations enabled was potentially vulnerable to security exploits that would have been blocked by the original site,” the author wrote on The Verge.

“Though no specific victims have been identified, the potential scope of this bug was broad: it was applied to all Genius users, undermined any site with a Content Security Policy, and re-enabled all blocked JavaScript code.”

After being notified of the issue, Genius said that the risk of XSS was minimal, “because the web annotator doesn’t store any personal information about its users in between successive page loads, let them log in to accounts, or type sensitive information into web forms.”

Assar says, even though this is true, it does not protect users from other types of exploits, such as forcing malware downloads.

The full report, with detailed explanation of the issue, can be found on this link.

Sead Fadilpašić

Sead is a freelance journalist with more than 15 years of experience in writing various types of content, from blogs, whitepapers, and reviews to ebooks, and many more, across sites including Al Jazeera Balkans, TechRadar Pro, IT Pro Portal, and CryptoNews.