Fooling Google Search Console With Tricky PHP

When [Steve] received a notice from Google that a new owner had been added to his Google Search Console account, he knew something was wrong. He hadn’t added anyone to his account. At first he thought it might be a clever phishing tactic. Maybe the email was trying to get him to click a malicious link. Upon further investigation, he discovered that it was legitimate. Some strange email address had been added to his account. How did this happen?

When you want to add a website to Google’s services, they require that you prove that you own the actual website as a security precaution. One method to provide proof is by uploading or creating an HTML file to your website with some specific text inside. In this case, the file needed to be called “google1a74e5bf969ded17.html” and it needed to contain the string “google-site-verification: googlea174e5bf969ded17.html”.

[Steve] logged into his web server and looked in the website directory but he couldn’t find the verification file. Out of curiosity, he tried visiting the web page anyways and was surprised to find that it worked. After some experimentation, [Steve] learned that if he tried to load any web page that looked like “googleNNNNNNN.html”, he would be presented with the corresponding verification code of “google-site-verification: googleNNNNNNNN.html”. Something was automatically generating these pages.

After further investigation, [Steve] found that some malicious PHP code had been added to his website’s index.php page. Unfortunately the code was obfuscated, so he couldn’t determine exactly what was happening. After removing the new code from the index.php file, [Steve] was able to remove the hacker’s email address from [Steve’s] Google account.

This is a very interesting hack, because not only did it allow this one hacker to add himself to [Steve’s] Google account, but it would also have allowed anyone else to do the same thing. This is because each new hacker would have been able to fool Google’s servers into thinking that they had uploaded the verification file thanks to the malicious PHP code. It makes us think that perhaps Google’s verification system should use a separate randomized string inside of the verification file. Perhaps one that can’t be guessed or calculated based on known variables such as the file name.

Bread Online is a Bread Maker for the Internet of Things

An engineering student at the University of Western Macedonia has just added another appliance to the ever-growing list of Internet enabled things. [Panagiotis] decided to modify an off-the-shelf bread maker to enable remote control via the Internet.

[Panagiotis] had to remove pretty much all of the original control circuitry for this device. The original controller was replaced with an Arduino Uno R3 and an Ethernet shield. The temperature sensor also needed to be replaced, since [Panagiotis] could not find any official documentation describing the specifications of the original. Luckily, the heating element and mixer motor were able to be re-used.

A few holes were drilled into the case to make room for the Ethernet connector as well as a USB connector. Two relays were used to allow the Arduino to switch the heating element and mixer motor on and off. The front panel of the bread maker came with a simple LCD screen and a few control buttons. Rather than let those go to waste, they were also wired into the Arduino.

The Arduino bread maker can be controlled via a web site that runs on a separate server. The website is coded with PHP and runs on Apache. It has a simple interface that allows the user to specify several settings including how much bread is being cooked as well as the desired darkness of the bread. The user can then schedule the bread maker to start. Bread Online also comes with an “offline” mode so that it can be used locally without the need for a computer or web browser. Be sure to check out the video demonstration below. Continue reading “Bread Online is a Bread Maker for the Internet of Things”

Automated Aquarium is Kitchen-Sinky

fishtankAutomation

People have been converting their old Power Macs and Mac G5s into fish tanks for a few years now, but [Hayden’s] Internet-enabled tank is probably the most awesome ever crammed into an aquarium along with the water and the fish—and we’ve seen some fascinating builds this summer. After gutting the G5 and covering the basic acrylic work, [Hayden] started piling on the electronics: a webcam, timed LED lighting, an LCD for status readouts, filter and bubble control via a servo, an ultrasonic sensor to measure water levels, thermometer, scrolling matrix display, an automatic feeding mechanism, and more. He even snuck in the G5’s old mainboard solely for a cool backdrop.

The build uses both a Raspberry Pi and an Arduino Mega, which sit underneath the tank at the base. The Pi provides a web interface written in PHP and jQuery, which presents you with the tank’s status and allows changes to some settings. Nearly every component received some form of modification. [Hayden] stripped the webcam of its case and replaced the enclosure with a piece of acrylic and a mountain of silicone, making it both waterproof and slim enough to fit in the appropriate spot. Though he decided to stick with an Amazon-bought Eheim fish feeder, he disabled the unit’s autofeed timer and tapped in to the manual “feed” button to integrate it into his own system.

It’d take half of the front page to explain the rest of this thing. We’ve decided to let the aquarium tell you the rest of its features in the video below. Yeah…it can talk.

Continue reading “Automated Aquarium is Kitchen-Sinky”

This piggy bank is our stock broker

piggy-bank-stock-buy

[Johna and Justin] are working to take the emotion out of playing the market. They built this piggy bank which automatically purchases stock when your coinage totals the cost of a single share. That’s right, just turn the selector to one of your three chosen stocks (Google, Facebook, and Apple are used in this example) and plug in some coins. The bank counts your money, compares it to the current online stock price, and pulls the trigger if you have enough dough. You can check out a demo clip after the jump.

The hardware is rather simple thanks to Adafruit’s programmable multi-coin acceptor. It handles the cash and it’s pretty easy to interface with the Arduino which handles the rest of the work. It connects to a computer via USB, depending on a PHP script to poll the current price. We dug through the code repository just a bit but didn’t find the snippet that does the actual stock purchase. Whether or not they actually implemented that, it’s certainly an interesting concept.

Continue reading “This piggy bank is our stock broker”

Easy web interface with GPIO access runs on Raspberry Pi

Here’s a Raspberry Pi hack that adds web control using PHP and MySQL. As you can see in the image, it serves up a webpage (using the Apache2 server) which allows you to change the state of the GPIO pins. It’s not super-complicated, but it is nice to see a step-by-step guide for installing and configuring the package.

Web interface GPIO control is one of the features we loved about the Adafruit Web IDE. But this offering is loaded completely from the RPi (the Adafruit package uses cloud based code) and utilizes the tools most Linux network admins will be used to. A MySQL database manages the connection between GUI commands and GPIO modification. The webpage is served up by a PHP script which takes care of polling and changing database values. Configuration requires a new database, plus the username and password which has access to it.

Electric Imp makes a cat door Tweet its activities

electric-imp-tweeting-cat-door

This Tweeting cat door uses the Electric Imp to read a sensor and report back to the server. The hardware is pretty neat. The board hosts an ARM Cortex-M3 processor and gets on your home network via WiFi. The mini-USB cable simply provides the power. Programming is done over the network. Our own [Brian Benchoff] had a chance to try the Imp out earlier in the Fall.

Monitoring a cat door is as good a reason as any to undertake a project. The hardware added to the board includes a reed switch mounted on the jamb along with a magnet on the door itself. There is also a blue LED that gives a bit of user feedback. The software isn’t quite as easy but it still wasn’t that bad. As with most web-connected projects getting all the parts to talk to each other was a bit of a chore. The Imp reports back to a server on the local network which then activates a PHP script that uses Sen.se to push out a Tweet.

[Thanks Pat]

What you can do when a Raspberry Pi teams up with an Arduino

We thought that connecting an Arduino to a Raspberry Pi was overkill, but one thing caught our attention. [Jan Stevens] mentions that the RPi is less expensive than the Ethernet Shield. Interesting. As we looked into his writeup a bit more we began to think he’s onto something. [Jan] uses the PHP serial class to communicate between the RPi and Arduino. This ends up being a very inexpensive way to bring some of the more powerful web programming options to your hardware devices.

Sure, he’s just driving three RGB LEDs. But the demo video after the break gives us a glimpse as some of the interface options that become available when an embedded Linux machine is in play. He’s using jQuery, AJAX, PHP, and JSON to name a few. If you want to give this a try yourself you can grab the code from his Github repo. Of course we’re going to want to hear about any projects you develop from this starting point!

Continue reading “What you can do when a Raspberry Pi teams up with an Arduino”