Some of the replies in this thread are very unfair to the original poster.
I have read the news story and have thoroughly read the proof of concepts which
in my opinion indicate that this is surely a security vulnerability. I have
worked for Lumension as a security consultant for more than
Gynvael Coldwind,
What Alfred has reiterated is that this is a security vulnerability
irrelevantly of whether it qualifies for credit.
It is an unusual one, but still a security vulnerability. Anyone who says
otherwise is blind, has little or no experience in hands on security, or either
Hello... I am an IT security expert for the Emirates National Oil Company. Google is my favourite search engine by far. Now I just read the report about the unrestricted upload issue and I think that the author is right that it is a securityproblem.This is a vulnerability because file name
I'm just a lurker on the list, which I have always found valuable.
But for what it's worth, this thread is an awful bore. Who cares
about people's credentials?
I'm not asking for administrative intervention, which I hate, but
rather that the various entrants in the pissing contest empty
I have been watching this thread for a while and I think some people are being
hostile here.
There is nothing to gain being on eithers side but for the sake of security. As
a penetration tester, writer, and malware analyst with a long and rewarding
career...it would be absurd to admit that
I believe Zalewski has explained very well why it isn't a vulnerability,
and you couldn't possibly be calling him hostile. :)
On Sat, Mar 15, 2014 at 11:20 AM, M Kirschbaum pr...@yahoo.co.uk wrote:
I have been watching this thread for a while and I think some people are
being hostile here.
On top of that, Google spent millions of dollars to buy Chrome exploits,
sandbox bypasses
and webapp bugs. So, if this was a REAL bug with some REAL security
impact, I don't think Google wouldn't have paid.
They have a REAL budget for that, they are not like Yahoo that sends you
a t-shirt.
The
Dear Mario,
There is nothing to gain being on either side. I have already read the thread
replies by M. Zalewski. I believe Google is false and does not honor the
security community.
Rgds,
M. Kirschbaum
On Saturday, 15 March 2014, 11:11, Mario Vilas mvi...@gmail.com wrote:
I
Hey,
I think the discussion digressed a little from the topic. Let's try to
steer it back on it.
What would make this a security vulnerability is one of the three standard
outcomes:
- information leak - i.e. leaking sensitive information that you normally
do not have access to
- remote code
Thank you. :)
On Sat, Mar 15, 2014 at 1:45 PM, Gynvael Coldwind gynv...@coldwind.plwrote:
Hey,
I think the discussion digressed a little from the topic. Let's try to
steer it back on it.
What would make this a security vulnerability is one of the three standard
outcomes:
- information
Sockpuppet much?
On Sat, Mar 15, 2014 at 2:35 PM, M Kirschbaum pr...@yahoo.co.uk wrote:
Gynvael Coldwind,
What Alfred has reiterated is that this is a security vulnerability
irrelevantly of whether it qualifies for credit.
It is an unusual one, but still a security vulnerability. Anyone
Is it possible with the help of Godwin's law
this discussion moves offlist?
--
guninski
On Thu, Mar 13, 2014 at 10:43:50AM +, Nicholas Lemonias. wrote:
Google vulnerabilities uncovered...
How the hell did you ever think Google will honor this? By now they
could be fixing this issue, they hell don't care about you.
On 3/15/14, Georgi Guninski gunin...@guninski.com wrote:
Is it possible with the help of Godwin's law
this discussion moves offlist?
--
guninski
On Thu, Mar 13,
Hi
I concur that we are mainly discussing a terminology problem.
In the context of a Penetration Test or WAPT, this is a Finding.
Reporting this finding makes sense in this context.
As a professional, you would have to explain if/how this finding is a
Weakness*, a Violation (/Regulations,
Zakewski,
Thank you for your e-mail. I welcome all opinions, that are backed up by
evidences.
I am not just a security researcher, I am also an academic in the field and
lecturer.
All right :-) Thank you for the overview of CIA triad. I don't think
there's a good probability that our
On Thu, Mar 13, 2014 at 10:30 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
We confirm this to be a valid vulnerability for the following reasons.
The access control subsystem is defeated, resulting to arbitrary write
access of any file of choice.
1. You Tube defines which file
will never know until
you try. And we have tried it , and seem to know better.
I suggest you read the report again.
Thank you.
-- Forwarded message --
From: Nicholas Lemonias. lem.niko...@googlemail.com
Date: Thu, Mar 13, 2014 at 7:47 PM
Subject: Re: [Full-disclosure
, 2014 at 7:47 PM
Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
To: Julius Kivimäki julius.kivim...@gmail.com
Julius Kivimaki, your disbelief in OWASP, CEH, Journalists and anything
you may, or may not be qualified to question amazes. But everyone's opinion
is of course respected
Lemonias. lem.niko...@googlemail.com
Date: Thu, Mar 13, 2014 at 7:47 PM
Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
To: Julius Kivimäki julius.kivim...@gmail.com
Julius Kivimaki, your disbelief in OWASP, CEH, Journalists and anything
you may, or may not be qualified
Zakewski,
Thank you for your e-mail. I welcome all opinions, that are backed up by
evidences.
I am not just a security researcher, I am also an academic in the field and
lecturer.
However, from an academic perspective, when it comes to certain
security designs the mere existence of unvalidated
Hi Jerome,
Thank you for agreeing on access control, and separation of duties.
However successful exploitation permits arbitrary write() of any file of
choice.
I could release an exploit code in C Sharp or Python that permits multiple
file uploads of any file/types, if the Google security team
Thanks Michal,
We are just trying to improve Google's security and contribute to the
research community after all. If you are still on EFNet give me a shout
some time.
We have done so and consulted to hundreds of clients including Microsoft,
Nokia, Adobe and some of the world's biggest
: Nicholas Lemonias. lem.niko...@googlemail.com
Date: Thu, Mar 13, 2014 at 7:47 PM
Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
To: Julius Kivimäki julius.kivim...@gmail.com
Julius Kivimaki, your disbelief in OWASP, CEH, Journalists and anything
you may, or may not be qualified
Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
To: Julius Kivimäki julius.kivim...@gmail.com
Julius Kivimaki, your disbelief in OWASP, CEH, Journalists and anything
you may, or may not be qualified to question amazes. But everyone's opinion
is of course respected.
I normally don't
On 13 Mar 2014 14:30, Nicholas Lemonias. lem.niko...@googlemail.com
wrote:
I suggest you to read on Content Delivery Network Architectures .
YouTube.com populates and distributes stored files to multiple servers
through a CDN (Content Delivery Architecture), where each video uses more
than
But do you have all the required EH certifications? Try this one from the
Institute for
Certified Application Security Specialists: http://www.asscert.com/
On Fri, Mar 14, 2014 at 7:41 AM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
Thanks Michal,
We are just trying to improve
We are on a different level perhaps. We do certainly disagree on those
points.
I wouldn't hire you as a consultant, if you can't tell if that is a valid
vulnerability..
Best Regards,
Nicholas Lemonias.
On Fri, Mar 14, 2014 at 10:10 AM, Mario Vilas mvi...@gmail.com wrote:
But do you have all
Nicholas Lemonias. wrote:
Hi Jerome,
Thank you for agreeing on access control, and separation of duties.
However successful exploitation permits arbitrary write() of any file of
choice.
I could release an exploit code in C Sharp or Python that permits multiple
file uploads of any
Jerome of Mcafee has made a very valid point on revisiting separation of
duties in this security instance.
Happy to see more professionals with some skills. Some others have also
mentioned the feasibility for Denial of Service attacks. Remote code
execution by Social Engineering is also a
Live Proof Of Concept
==
http://upload.youtube.com/?authuser=0upload_id=
AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--
uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aworigin=
CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
Dear Nicholas Lemonias,
I don't use to get in these scrapy discussions, but yeah you are in a
completetly different level if you compare yourself with Mario.
You are definitely a Web app/metasploit-user guy and pick up a discussion with
a binary and memory corruption ninja exploit writter like
On Fri, Mar 14, 2014 at 12:38 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
Jerome of Mcafee has made a very valid point on revisiting separation of
duties in this security instance.
Happy to see more professionals with some skills. Some others have also
mentioned the
LOL, thanks for the undeserved praise! xD
On Fri, Mar 14, 2014 at 2:50 PM, Sergio 'shadown' Alvarez shad...@gmail.com
wrote:
Dear Nicholas Lemonias,
I don't use to get in these scrapy discussions, but yeah you are in a
completetly different level if you compare yourself with Mario.
You
that the advisory is about writing arbitrary files. If I was
your boss I would fire you.
-- Forwarded message --
From: Nicholas Lemonias. lem.niko...@googlemail.com
Date: Fri, Mar 14, 2014 at 5:43 PM
Subject: Re: [Full-disclosure] Google vulnerabilities with PoC
To: Mario Vilas
Mario has years of experience (more than 10 in fact) in exploit writing
and vulnerability assessment. I would consider his position on the subject.
If you don't believe me, Argentina extended me certifications that
proves that I can tell who has vulnerability assesment skills and who
does not.
Oh and this guy Shadown seems pretty knowledgeable too.
BTW now I have to read what is this about,lets see...
Alright, from TFA:
That means that a door was open for anyone to upload any file of
choice. Whether this is a security vulnerability or not, I will leave
that to your discretion
Not
If he can change the mime type, then he indeed may have an attack
vector, e.g. he could upload a complete youtube-lookalike site and
snatch credentials. If you can access the fake site via HTTPS with a
youtube cert, it's an obvious vulnerability.
On 03/14/2014 07:05 AM, Mario Vilas wrote:
I think Adam was right replying that way, so that it's not a security bug.
You haven't found anything exploitable.
The only reasonable way to 'exploit' the bug is using youtube as a
personal storage uploading non-video files to your own profile: so what?
It's like saying that you have a normal
The only reasonable way to 'exploit' the bug is using youtube as a
personal storage uploading non-video files to your own profile: so what?
That would require a way to retrieve the stored data, which - as I
understand - isn't possible here (although the report seems a bit
hard-to-parse). From
If you were evil, you could upload huge blobs and just take up space on the
google servers. Who knows what will happen if you upload a couple hundred gigs
of files. They dont disappear, they are just unretrievable afaict. It is a
security risk in the sense that untrusted data is being persisted
If you were evil, you could upload huge blobs and just take up space on the
google servers.
Keep in mind that the upload functionality is there legitimately: you
can upload gigabytes of data to Youtube, Drive, Gmail, etc.
/mz
___
Full-Disclosure -
: you could upload huge blobs and just take up space on the google servers.
How many people upload gigabytes of crappy videos on google servers,
hourly? So far, the DDoS didn't happen for some reason, even
considering the amount of users. There is a small potential to exploit
this via a botnet,
Yes, these are legitimate points.
Sent from a computer
On Mar 13, 2014, at 12:43 PM, Źmicier Januszkiewicz ga...@tut.by wrote:
: you could upload huge blobs and just take up space on the google servers.
How many people upload gigabytes of crappy videos on google servers,
hourly? So far,
On Mar 13, 2014, at 10:33, Brandon Perry bperry.volat...@gmail.com wrote:
If you were evil, you could upload huge blobs and just take up space on the
google servers. Who knows what will happen if you upload a couple hundred
gigs of files. They dont disappear, they are just unretrievable
When did the ability to upload files of arbitrary types become a security
issue? If the file doesn't get executed, it's really not a problem.
(Besides from potentially breaking site layout standpoint.)
2014-03-13 12:43 GMT+02:00 Nicholas Lemonias. lem.niko...@googlemail.com:
Google
Keep in mind that YouTube allows files to be uploaded by definition. What
you have achieved is upload a file for an extension type that is not
allowed.
It is definitely a vulnerability but a low risk one since you haven't
demonstrated if it has any ill effects.
Can you somehow find the URL to
Here is your answer.
https://www.owasp.org/index.php/Unrestricted_File_Upload
On Thu, Mar 13, 2014 at 1:39 PM, Julius Kivimäki
julius.kivim...@gmail.comwrote:
When did the ability to upload files of arbitrary types become a security
issue? If the file doesn't get executed, it's really not a
*https://www.google.com/settings/takeout
https://www.google.com/settings/takeout *
*However the only problem would be to get past Content ID filtering. I
suppose encrypting an uploaded file, and obfuscating file headers may get
past YouTube's Content ID filtering. Youtube is not a File Transfer
I suggest you to read on Content Delivery Network Architectures .
YouTube.com populates and distributes stored files to multiple servers
through a CDN (Content Delivery Architecture), where each video uses more
than one machine (hosted by a cluster). Less populated video files are
normally
Did you even read that article? (Not that OWASP has any sort of credibility
anyways). From what I saw in your previous post you are both unable to
execute the files or even access them and thus unable to manipulate the
content-type the files are returned with, therefore there is no
vulnerability
*You are wrong about accessing the files. What has not been confirmed is
remote code execution. We are working on it.*
*And please, OWASP is recognised worldwide... *
*Files can be accessed through Google Take out with a little bit of skills.*
*https://www.google.com/settings/takeout
OWASP is recognized worldwide, so is CEH and a bunch of other morons. That
doesn't mean their publications are worth anything. Now tell me, why would
arbitrary file upload on a CDN lead to code execution (Besides for HTML,
which you have been unable to confirm)?
2014-03-13 18:16 GMT+02:00
Hello Julius,
I appreciate your interest to learn more. OWASP is quite credible, and has
gained some international recognition. It is a benchmark for many vendors.
I suggest you to read on OSI/7-Layer Model. A website may disallow uploads
of certain file types for security reasons, and let's
hahahaha
you also could send emails to yourself untill fill up the google storages.
of course its not a security issue.
On Thu, Mar 13, 2014 at 2:33 PM, Brandon Perry bperry.volat...@gmail.comwrote:
If you were evil, you could upload huge blobs and just take up space on
the google servers.
I don't see what OSI model has to do with anything here. Why is arbitrary
file upload to youtube CDN any worse than to google drive CDN? And how will
your self-executing encrypted virus like Cryptolocker end up getting
executed anyways? And cryptolocker was definitely not self-executing, but
So in terms of permissions. What's the different between
admin.youtube.comand a normal youtube user?
I assume that the admin has a full permission set. If that's the case, that
means it is a valid vulnerability for the reason being that the integrity
of the service is impacted. The youtube user
Hello Zalewski,
The YouTube service is there to serve harmless media files. The upload
functionality is there to upload files legitimately. But what type of
files, and who can write those files?
What's the difference between a Youtube admin and a Youtube user in terms
of permissions sets ?
Why
The YouTube service is there to serve harmless media files. The upload
functionality is there to upload files legitimately. But what type of
files, and who can write those files?
What's the difference between a Youtube admin (admin.youtube.com) and a
Youtube user in terms of permissions sets ?
We confirm this to be a valid vulnerability for the following reasons.
The access control subsystem is defeated, resulting to arbitrary write
access of any file of choice.
1. You Tube defines which file types are permitted to be uploaded.
2. Exploitation is achieved by circumvention of
On 2014-03-14 10:56, andfarm wrote:
On Mar 13, 2014, at 10:33, Brandon Perry bperry.volat...@gmail.com
wrote:
If you were evil, you could upload huge blobs and just take up space
on the google servers. Who knows what will happen if you upload a
couple hundred gigs of files. They dont
Nicholas,
I remember my early years in the infosec community - and sadly, so do
some of the more seasoned readers of this list :-) Back then, I
thought that the only thing that mattered is the ability to find bugs.
But after some 18 years in the industry, I now know that there's an
even more
61 matches
Mail list logo
