Phish Tank

October 11, 2006 in Internet, Programming, Security, ruby, software by amit | 4 comments

http://www.phishtank.com is a new service which aims to help weed out phishing URLs and email addresses using wisdom of the crowds. Users can submit emails/URLs which they suspect of fraud and others can vote if they really are fraudulent or not. I think it is a great concept. There is a REST API using which applications can embed this webservice within them. So for example, there could be a outlook plugin which will display “phishy” email addresses in a special way in order to alert the user immediately. Same for web browsers which can render phishing websites in a special stylesheet. The applications can also add interface for the user to submit suspect pages and email easily without using web browsers.

I checked out the API and it does not feel like it is fully baked! There are interfaces for authorization and checking email/url status and submitting new emails/urls. Some things that stand out immediately are:

  • Exclusive use of SSL for the API access.
  • Parameter authentication (i.e. including cryptographic digest of all the parameters to ensure that parameters are not changed using man-in-the-middle attack)
  • Choice of xml or php output.

The api calling sequence works like this:

  1. User registers on the web for API access and gets api key and shared secret
  2. Using the API, application gets a frob (what is behind the name ?) and authorization url using auth.frob.request
  3. User has to authorize the frob using the authorization url specified in the response. (optionally you can specify callback url which the server will call for authorization, I will need to check this from home when I have access to a server — the docs are very thin about the mechanism)
  4. Once authorized, app uses the frob and gets a token for short time API access (30 minutes in my tests) (auth.token.request)
  5. App can check token status which tells remaining time on token.(auth.token.status)
  6. App can revoke the token when it is done using it. (auth.token.revoke)
  7. The APIs for check.url, check.email, submit.url, submit.email then use the token.

I did not understand why there is a need for FROB in this, why can’t you just get the token from api key and shared secret ? What problem are they solving by this indirection ?

Anyway, here is the ruby script that I used for testing this… I am planning to turn this into a module, but providing it here for early access…
phishtank.rb
config.yml

P.S. the check_url interface is not working, I am getting invalid token error. and the same token can be revoked successfully.
P.P.S. The API uses SSL (no cleartext api available) and ruby’s open-uri library insists on checking the server SSL certificate which always fails (probably because signer needs to be trusted by openssl), I had to change it locally to ignore ssl verification in order to proceed.

Update (Oct/12/06): the check.url interface is finally working. For this API, the signature needs to be calculated before escaping the url. I refactored the ruby script a bit to remove redundant code and moved the configuration to a seperate file. I still need to work with the response parser and make it general for all types of responses. XML parsing gets so ugly so fast, it’s amazing!

Related posts:

  1. More about Phishtank API
  2. Check if a site is phishing site.
  3. Rebate tracker use cases
  4. Anonymity on Internet
  5. Wonderful Wonderful email things

Tags: , , , ,

  1. Danny’s avatar

    Danny on March 26, 2009 at 1:45 am

    Hi, I try to run your module.
    I get some errors:
    C:\Documents and Settings\Ruby>ruby phishtank.rb
    C:/Documents and Settings/Ruby/lib/ruby/1.8/net/http.rb:586:in `connect’: certificate verify failed (OpenSSL::SSL::SSLError)
    from C:/Documents and Settings/Ruby/lib/ruby/1.8/net/http.rb:586:in `connect’
    from C:/Documents and Settings/Ruby/lib/ruby/1.8/net/http.rb:553:in `do_start’
    from C:/Documents and Settings/Ruby/lib/ruby/1.8/net/http.rb:542:in `start’
    from C:/Documents and Settings/Ruby/lib/ruby/1.8/open-uri.rb:242:in `open_http’
    from C:/Documents and Settings/Ruby/lib/ruby/1.8/open-uri.rb:616:in `buffer_open’
    from C:/Documents and Settings/Ruby/lib/ruby/1.8/open-uri.rb:164:in `open_loop’
    from C:/Documents and Settings/Ruby/lib/ruby/1.8/open-uri.rb:162:in `catch’
    from C:/Documents and Settings/Ruby/lib/ruby/1.8/open-uri.rb:162:in `open_loop’
    from C:/Documents and Settings/Ruby/lib/ruby/1.8/open-uri.rb:132:in `open_uri’
    from C:/Documents and Settings/Ruby/lib/ruby/1.8/open-uri.rb:518:in `open’
    from C:/Documents and Settings/Ruby/lib/ruby/1.8/open-uri.rb:526:in `read’
    from phishtank.rb:77:in `create_request_parse_response’
    from phishtank.rb:103:in `ping’
    from phishtank.rb:191:in `main’
    from phishtank.rb:205

    how can I fix it?
    Thanks

    Reply

  2. amit’s avatar

    amit on March 26, 2009 at 12:03 pm

    Hi Danny,

    Please refer to the last paragraph, where I mention this exact error. If you have access to open-uri.rb that you can change, take a look at this discussion which tells how to do it:
    http://www.ruby-forum.com/topic/129530

    Other option is a very dirty hack, which you can put at the top of the file:

    require ‘net/https’
    OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

    I have modified my phishtank.rb to reflect this change.

    –Amit

    Reply

  3. Danny’s avatar

    Danny on March 26, 2009 at 10:44 pm

    Thanks!
    I’m a college student. I’m working on a project to evaluate the efficiency of PhishTank.
    I have a question. What should i put in $api_key? How to get it? It is different from app_key, right?
    i put others (username, app_key, shared_secret) in account details with registering a new application

    Reply

  4. Danny’s avatar

    Danny on March 26, 2009 at 10:51 pm

    Another thing is how you get frob in your config.ylm file?
    Can you explain a little bit? Thanks

    Reply