Breaking Code

January 27, 2012

Posting anonymously to Pastebin.com

Filed under: Privacy, Tools, Web applications — Tags: , , , , , , , , , — Mario Vilas @ 6:58 pm

Updated 3-Jun-2013: the API this script was using has been deprecated, and the new one requires credentials to be used. :(

I’m keeping the blog post online for a while as a curiosity, but the technique described here no longer works.


While going through some old code of mine to document it using Epydoc at a friend’s request, I found something funny. Some time ago I made a quick and dirty script to access the Pastebin.com API from Python. Well, it turns out the API has changed quite a bit since then – most importantly, now it requires a mandatory API key that’s linked to a user account (which in turn, if you used OAuth, is linked to your Gmail address or Twitter feed). That means it’s no longer possible to post anonymously using the official API.

Funny thing is, my old script was still working! :) Apparently the folks at Pastebin have left the legacy API still running. The old documentation is gone though, and now even to read the updated documentation you need to log in… :(

Now, this takes care of the API key problem, but there’s still the issue of Pastebin seeing your IP address. An HTTP proxy can fix that… provided you trust that proxy not to store your IP somewhere in the logs. The procedure is simple, just set the HTTP_PROXY environment variable to wherever your proxy is, and voilà! The standard Python module urllib will automatically connect through the proxy.

If you don’t have a trusty HTTP proxy, the best way to go is through the Tor network. You’ll need to install the Tor service itself and the Privoxy HTTP proxy in your machine, then set the HTTP_PROXY variable to 127.0.0.1:8123. This document from the Tor Project explains it in detail.

Once you’ve set up your proxy, download pastebin.py and send a file to Pastebin like this:

    $ python pastebin.py manifesto.txt
    manifesto.txt --> http://pastebin.com/ixSetT5f

The script accepts multiple filenames as well. You can also set the syntax highlighting format (useful for source code, config files or logs) as follows:

    python pastebin.py --format=apache /var/log/apache2/access.log /var/log/apache2/error.log

And set an expiration time, after which it gets automatically deleted. In the following example a SQL dump is uploaded and automatically deleted the next day:

    python pastebin.py dump.sql --format=sql --expire=1D

So, that’s pretty much it. There’s a limit of 512Kb per file uploaded, in order to bypass this you’ll have to split the file into multiple pieces (something similar to this but using pastes instead of URLs). I may do it another day, but for now it’s left as an exercise to the reader. ;)

There’s one thing I don’t quite understand: why did the Pastebin folks think it was necessary to have a mandatory API key? Even if the legacy API had been shut down, it would still be possible to figure out how the web page was doing it and replicate it in Python. The API key being linked to the user account seems a bit strange too… Their intention might be to catch script kiddies uploading illegal stuff, but it may also be an attempt to do data mining on people’s posts. Who knows…

Download


pastebin.py

No longer works!

The Silver is the New Black Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 2,480 other followers