Engineering at Prezi

Heartbleed Defeated

Huge issues are rarely the result of one tiny mistake. But when that little error happens to occur within the context of a widely used crypto library, the impact can be catastrophic. I’m writing, of course, about Heartbleed, which affected up to ⅔ of all online businesses.

For those of you without an engineering background, Heartbleed took advantage of a security hole in recent versions of the OpenSSL library, meaning it could leak information from the server’s memory. Such information might be nothing more than meaningless junk with no context, or… in the worst cases, it could contain vital password data. Fortunately, the evidence indicates that we caught this problem before our users were negatively impacted.

Let me jump ahead to the end of the story. We were able to quickly and proactively respond to the threat of Heartbleed and eliminate any risk of unauthorized access to our users’ accounts. But what makes the story interesting is HOW we were able to get it done so fast.

Honest Deadlines

When I was eight years old, I would arrive home from school before my family. I hurried back so I could minimize the time spent on homework and maximize my hours spent watching TV and playing with our Commodore 64. One day, on the journey from the TV to the computer, I accidentally broke one of my mother’s vases. After my initial panic, I resolved to fix the vase with superglue. At the moment I thought of this resolution, in my mind, I was something of a genius, and I was sure my mother would never notice. However, being only eight years old, I had more success gluing my fingers together than the pieces of china.

Prezi Got Pwned: A Tale of Responsible Disclosure

Disclaimer: For purposes of reference, Prezi runs a Bug Bounty Program that invites attacks like the one detailed below.

The emails that arrive in a security engineer’s inbox can be put into three broad categories.

1) Readable
Details of a new Budapest craft beer bar
Links to articles about actual real-life hoverboards

2) Archivable
Announcement on changes to company travel policy
Links to articles about how that whole hoverboard thing was a scam

3) Mutable
Replies to the announcement on changes to the company travel policy
People teasing me about me taking the hoverboard thing seriously.

Every now and then there are those emails which fit into the “Shiiiiiit” category.

Prezi – the Land of the Polyglots

“I speak Spanish to God, French to women, English to men, and Japanese to my horse.” —Buckaroo Banzai

Ask any engineer “which programming language is the best?”, and you’ll get crushed by a deluge of answers ranging from stuff they started with in uni to something they read about on a tech blog ten minutes ago. Some will answer with whatever they’re using right now in their job, and a few more will tell you about something they think is going to be big, if only Google/Microsoft/Apple/King would see it for what it is!

We’re living in a multi-platform age. Gone are the days of writing for one operating system, in one or two languages, for only one (primary) client. Take Prezi. We never hire anyone as an “expert” Flash (or even JS) coder, but our product runs primarily on Flash, so a lot of people become one. Nobody really gets to specialize – one week you’re working in C++ (and we’re looking for you if you can too), and next week maybe the team needs you to dig down into JavaScript to get the job done.

Being an engineer/dev into today’s world means being a polyglot. At Prezi, we’ve got at least 14 main languages under our collective belts that people actively work in, day in and day out.

Bug Bounty Controversy Post Mortem - the Egg on Our Face

Sometimes, you get a bit of egg on your face and realize that you’ve got to fix some things. We got egg all over our face; maybe on our shirt too. (http://blog.shubh.am/prezi-bug-bounty/)

(TL;DR: Using simple google searches, Shubham Shah (a white-hat security researcher), found the credentials to our sandbox artifact repository. It contained only client-side artifacts of the SWF editor UI (which can be reverse-engineered from the editor files) with no server-side code at all. The affected domain was outside the scope of our Bug Bounty Program at the time, so we had a big moral dilemma on our hands, as well as a small security one. We learned from our mistakes, both about the Bug Bounty program, and publically accessible internal secrets).

A Bug in the Bugbounty (Updated)

One of Prezi’s key values has always been that we learn from our mistakes.

The Mistake

A few months ago, we launched a Bug Bounty Program. And because of this program, everyone who uses Prezi is now enjoying a more secure experience. It’s not just us that has benefitted–Bug hunters around the world have enjoyed financial reward for every bug that was within the scope of the program, and we’ve paid out more than $13,000 so far.

We recently had a bug pointed out to us by a security researcher (Shubham Shah) that was outside the scope of the program. He found a problem, something that prompted us to change our code base, and we are grateful. We should have shown our appreciation, even though it was outside the program scope. We have already reached out to Shubham to offer both a deserved financial reward and an apology.

The Learning

The program will continue with a limited scope for now, because these subdomains are the high priority areas identified that will make Prezi more secure for everyone that uses it. The scope also gives legal protection to any hacker who tests the security of Prezi without hurting the integrity of our users’ information. We absolutely don’t want to encourage people to stray outside of the scope.

However, to improve the program, we will now reward bug hunters who find bugs outside of the scope provided that they do not violate our users’ information and that their report triggers us to improve our code base. We will also retroactively check to see if any other report found issues that fall into this category, and we will pay the people who submitted those reports.

We’ll add more to the scope as the program continues, but we did not want to wait to get started with the bounty hunt until all areas were covered. We thought it more important to deliver value to the people using Prezi as quickly as possible. We achieved that goal as most issues reported were fixed within 24 hours.

We have let down someone from the very community that we reached out to with this program, we’re sorry for that, and will endeavour to do better in the future.

Cash for Hacks

Prezi is a service used to convey information. As a result, we store a lot of information in the cloud. Some of that information is confidential, some of it is sensitive, some of it could change the world (we like to think). That means keeping that information secure is critical for everyone who uses Prezi. If people can’t trust us, we might as well give up now, and as appealing as it sounds to spend long days in our pajamas munching fruit loops, it just won’t pay the rent. To help keep the landlords off our backs, we have a security team that does everything it can to keep our development methodology and services secure. They aren’t a bunch of super hackers who know Kung Fu, but they’re pretty cool. Part of what makes them cool is the fact that they believe in the power of responsible disclosure. Being smart is also cool, and our guys are smart enough to know that mum wasn’t lying when she said two heads are better than one. As if to prove this to everyone, our cool, smart security team are inviting people to hack Prezi. Yeah that’s right, anyone. Hack us, go ahead, try it.

Announcing the Prezi Player API

Every embeddable player needs an API. It’s the bridge between your content and the web page you’re embedding it in, allowing them to function as a single, integrated unit. The end goal being a much richer and unified experience for your users, customers, readers, or fellow travelers on the Information Superhighway. Without an API, it’s like you’re trying to mix oil and water. Why would you do that? It doesn’t even really taste good.

Having said that, we’ve yet to release an API for the Prezi player. That is, until today.

The Prezi Player API allows you to quickly and easily embed a Prezi player into a web page, and then programmatically control it using JavaScript. With this API, you can listen for user interactions and update the state of your embedded Prezi in response. You can even go a step further and write some server-side code to introduce new input methods that can drive user interactions with your Prezi.

Embedding V8 and Enabling Typed Arrays

V8 is one of the fastest JavaScript engines out there. Despite the lack of documentation, V8’s API makes it really easy to embed an ECMAScript interpreter into any C++ application. But a bare interpreter is all you get. If you’re a web developer, you might be surprised by what’s missing when you launch V8 outside of a browser. There’s no window object, there’s no console.log() API, and typed arrays are there but inaccessible. With a little bit of code, you can setup your V8 environment with all the features you expected. Here’s how.