Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
It's amazing how much dumber I feel for having read your drivel.
Please for the love of $diety stop posting to this list.
--
W. Scott Lockwood III
AMST Tech (SPI)
GWB2009033817
http://www.shadowplayinternational.org/
There are four boxes to be used in defense of liberty: soap, ballot,
jury, and ammo. Please use in that order. -Ed Howdershelt (Author)
On Fri, Mar 14, 2014 at 9:48 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
Go to sleep. You have absolutely no understanding of the vulnerability, nor
you have the facts.
If you want a full report ask Softpedia, because we aint releasing them.
On Fri, Mar 14, 2014 at 8:39 PM, R D rd.secli...@gmail.com wrote:
You are trying to execute an sh script through a video player. That's an
exec() command.
No, it's not. That's an HTTP GET. Do you have such a poor understanding of
how web applications work? Or did you just not read what I said?
So its the wrong way about accessing the file.
This way, which is the standard way to access files on youtube, tells me
the file doesn't exist. You have yet to prove the file you uploaded can be
accessed or executed by anyone. For that matter, you have still to prove it
can be discovered by anyone. That URL is hard to guess.
And you have still to answer all my other questions, and most of the
questions asked to you on this list.
The burden of proof is on you, and you are making a fool of yourself by
answering all the questions here with the same statements, and links to your
PoC that doesn't proves anything, while everybody asks you for more
evidence.
Keep on the (good?) work,
--Rob'
On Fri, Mar 14, 2014 at 9:22 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
You are trying to execute an sh script through a video player. That's an
exec() command. So its the wrong way about accessing the file.
On Fri, Mar 14, 2014 at 8:20 PM, R D rd.secli...@gmail.com wrote:
No it's not. As Chris and I are saying, you don't have proof your file
is accessible to others, only that is was uploaded. Now, you see, when you
upload a video to youtube, you get the adress where it will be viewable in
the response. In your case :
{sessionStatus:{state:FINALIZED,externalFieldTransfers:[{name:file,status:COMPLETED,bytesTransferred:113,bytesTotal:113,formPostInfo:{url:http://www.youtube.com/upload/rupio?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026file_id=000,cross_domain_url:http://upload.youtube.com/?authuser=0\u0026upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw\u0026origin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw},content_type:text/x-sh}],additionalInfo:{uploader_service.GoogleRupioAdditionalInfo:{completionInfo:{status:SUCCESS,customerSpecificInfo:{status:
ok, video_id:
KzKDtijwHFI,upload_id:AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aw}}
And what do we get when we browse to
https://youtube.com/watch?v=KzKDtijwHFI ?
Nothing.
Can you send me a link where I can access the file content of the
arbitrary file you uploaded?
Are you sure this json response, or this file, will be there in a month?
Or in a year? Is the fact that this json response exists a threat to
youtube? Can you quantify how of a threat? How much, in dollars, does it
hurt their business?
--Rob
On Fri, Mar 14, 2014 at 9:08 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
My claim is now verified
Cheers!
On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
http://upload.youtube.com/?authuser=0upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aworigin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
That information can be queried from the db, where the metadata are
saved. The files are being saved persistently , as per the above example.
On Fri, Mar 14, 2014 at 8:04 PM, Nicholas Lemonias.
lem.niko...@googlemail.com wrote:
http://upload.youtube.com/?authuser=0upload_id=AEnB2UqVZlaog3GremriQEGDoUK3cdGGPu9MVIfyObgYajjo6i1--uQicn6jhbwsdNrqSF4ApbUbhCcwzdwe4xf_XTbL_t5-aworigin=CiNodHRwOi8vd3d3LnlvdXR1YmUuY29tL3VwbG9hZC9ydXBpbxINdmlkZW8tdXBsb2Fkcw
That information can be queried from the db, where the metadata are
saved. The files are being saved persistently , as per the above
example.
On Fri, Mar 14, 2014 at 8:00 PM, Chris Thompson
christhom7...@gmail.com wrote:
Hi Nikolas,
Please do read (and understand) my entire email before responding -
I understand your frustration trying to get your message across but
maybe
this will help.
Please put aside professional pride for the time being - I know how
it feels to be passionate about something yet have others simply not
understand.
Let me try and bring some sanity to the discussion
Re: [Full-disclosure] [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application
Hilarious. If I were just plain ignoring the PCI DSS, I'd want to hide evidence of it, too. If you really want to ruin their day, report this to VISA. -- W. Scott Lockwood III GWB20090338817 AMST Tech On Dec 17, 2013 3:12 AM, Fyodor fyo...@nmap.org wrote: On Fri, Dec 6, 2013 at 8:07 PM, Daniel Wood daniel.w...@owasp.org wrote: Title: [CVE-2013-6986] Insecure Data Storage in Subway Ordering for California (ZippyYum) 3.4 iOS mobile application Reported to Vendor: May 2013 CVE Reference: CVE-2013-6986 Apparently you touched a nerve! If the legal threats we received for archiving this security advisory on SecLists.org are any indication, ZippyYum really doesn't want anyone to know they were storing users' credit card info (including security code) and passwords in cleartext on their phones. Please remove this information from your website immediately in order at avoid further legal action. --Mikken Tutton, CEO of ZippyYum client IntersecWorldWide Of course we have ignored the threats and kept the advisory proudly posted at: http://seclists.org/fulldisclosure/2013/Dec/39 Here are the legal threats we received today and last Wednesday: -- Forwarded message -- From: Mikken Tutton mikken.tut...@intersecworldwide.com Date: Mon, Dec 16, 2013 at 1:33 PM Subject: Fwd: To: jo...@grok.org.uk, fyo...@nmap.org, hostmas...@insecure.org Dear Webmaster, We contacted you last week regarding some private information about our client that you have posted on your website, in violation of Non-Disclosure agreements we have in place with our customer Zippy Yum. We are requesting that this information be removed immediately. The information to which I am referring is located on this page of your website: http://seclists.org/fulldisclosure/2013/Dec/39 We would appreciate the courtesy of a response to our email within 48 hours so we can resolve this issue. If we do not receive a response, we will turn this matter over to our attorney for legal action. Thank you for your prompt attention to this matter. Sincerely, Mikken Tutton CEO -- Forwarded message -- From: Mikken Tutton mikken.tut...@intersecworldwide.com Date: Wed, Dec 11, 2013 at 11:03 AM Subject: Re: To: fyo...@nmap.org Cc: jo...@grok.org.uk Dear Mr. Lyon, It has come to my attention that the attached information is posted on your website about one of our clients. However, this information was released to you with out authorization and is protected by the Non-Disclosure Agreements we have in place, both with our client and also with the contractor who submitted the information to your website in violation of said NDA. Please remove this information from your website immediately in order at avoid further legal action. Attached is a screen shot of the client information I am referring to. Please advise if you have any questions. We appreciate your prompt attention to this matter. Thank you. Sincerely, Mikken Tutton CEO ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how do I know the fbi is followin
Beware hippies. Especially red headed ones. Why, just the other day, my phone picked up the FBI surveilance van. I'm sure it was looking for anyone from New Jersey, since I was next to a Jersey Mike's sub shop in Lisle, Il. Starbuck's is a known CIA front. The ashen taste of their coffee is the uncoverable flavor of nanobots designed to track you. Flouride has no scientificly proven benefit to dental health, but it does make you trackable by government satilite. Beware anyone not of the Church of the Subgenius. Hail Bob! On Mar 3, 2013 7:59 AM, Kenneth Stox k...@stox.org wrote: This is an Urban Myth. Now then, if the SSID says something like linksys or 2WIRE###, then I would get worried. On Sat, 2013-03-02 at 18:29 -0800, Reed Loden wrote: Check your nearby WiFi SSIDs for FBI Surveillance Van. That's always a dead giveaway that you're being monitored. ;) ~reed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
