Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
In any case i wonder how much google is going to respect corporate, industry secret or all that stuff you don't want them to know with google wave. Best thing to do is not to use that. I really doubt that it is an improvement and i think i will hardly ever need it. Is just more fanboi food. (knowing gmail how i know it and left for public stuff only how i left it) On Thu, Jan 21, 2010 at 5:28 AM, dramacrat yirim...@gmail.com wrote: inb4 front page news 2010/1/21 bugt...@cgisecurity.net Well, that's exactly what I'm saying. Pretending that this is some kind new exploit class simply because Google Wave is used is stupid. This is the logical extension of e-mail and instant message and social network attacks to the next potential platform. Following in the history of the security community, we should coin a buzzword on this old issue with a new spin. WaveJacking sounds like a perfect fit. /sarcasm On Tue, Jan 19, 2010 at 8:10 PM, valdis.kletni...@vt.edu wrote: On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said: Yeah, no kidding. Surprise! Untrusted files can be malicious. If you accept files from those whom you do not trust, whether its via e-mail, instant message, Google Wave, or physical media, you well and truly deserve the virus that'll eventually infect your machine. Let's see.. *HOW* many years ago did we first see e-mail based viruses that depended on people opening them because they came from people they already knew? 'CHRISTMA EXEC' in 1984 comes to mind. The problem here is that Google Wave is for *collaboration* - which means that you're communicating with people you already know, and presumably trust to some degree or other. Hey Joe, look at this PDF and tell me what you think is something reasonable when the request comes from somebody who Joe knows and who has sent Joe PDF's in the past. I guarantee that if every time you receive a document that appears to be from your boss, you call back and ask if they really intended to send a document or if it's a virus, your boss will get very cranky with you very fast. Let's look at that original advisory again: An attacker could upload his malware to a wave and share it to his Google Wave contacts. Now change that to An attacker could trick/pwn some poor victim into uploading the malware to a wave Hilarity ensues. --000e0cd2e002580025047da0b22e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Well, that#39;s exactly what I#39;m saying.=A0 Pretending that this is so= me kind new exploit class simply because Google Wave is used is stupid.=A0 = This is the logical extension of e-mail and instant message and social netw= ork attacks to the next potential platform.br br-- Rohit Patnaikbrbrdiv class=3Dgmail_quoteOn Tue, Jan 19, 2010= at 8:10 PM, span dir=3Dltrlt;a href=3Dmailto: valdis.kletni...@vt.e= duvaldis.kletni...@vt.edu/agt;/span wrote:brblockquote class=3Dg= mail_quote style=3Dborder-left: 1px solid rgb(204, 204, 204); margin: 0pt= 0pt 0pt 0.8ex; padding-left: 1ex; div class=3DimOn Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:br gt; Yeah, no kidding. =A0Surprise! Untrusted files can be malicious. =A0If= youbr gt; accept files from those whom you do not trust, whether its via e-mail,= br gt; instant message, Google Wave, or physical media, you well and truly de= servebr gt; the virus that#39;ll eventually infect your machine.br br /divLet#39;s see.. *HOW* many years ago did we first see e-mail based vi= ruses thatbr depended on people opening them because they came from people they already= br knew? =A0#39;CHRISTMA EXEC#39; in 1984 comes to mind.br br The problem here is that Google Wave is for *collaboration* - which meansb= r that you#39;re communicating with people you already know, and presumably= br trust to some degree or other. quot;Hey Joe, look at this PDF and tell me= br what you thinkquot; is something reasonable when the request comes from so= mebodybr who Joe knows and who has sent Joe PDF#39;s in the past.br br I guarantee that if every time you receive a document that appears to be fr= ombr your boss, you call back and ask if they really intended to send a document= orbr if it#39;s a virus, your boss will get very cranky with you very fast.br br Let#39;s look at that original advisory again:br div class=3Dimbr gt;gt; An attacker could upload his malware to a wave and share it to his= br gt;gt; Google Wave contacts.br br /divNow change that to quot;An attacker could trick/pwn some poor victim= into uploadingbr the malware to a wavequot; =A0Hilarity ensues.br br br br /blockquote/divbr --000e0cd2e002580025047da0b22e-- --===1022691582== Content-Type: text/plain;
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
is this really supposed to work? http://i45.tinypic.com/nds8lx.png I don't see much wrong here, isn't it doing exactly what it's supposed to do? Display the data given in the xml? -- Founder/Activist http://fusecurity.com/ | Free Security Technology ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
Well, that's exactly what I'm saying. Pretending that this is some kind new exploit class simply because Google Wave is used is stupid. This is the logical extension of e-mail and instant message and social network attacks to the next potential platform. Following in the history of the security community, we should coin a buzzword on this old issue with a new spin. WaveJacking sounds like a perfect fit. /sarcasm On Tue, Jan 19, 2010 at 8:10 PM, valdis.kletni...@vt.edu wrote: On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said: Yeah, no kidding. Surprise! Untrusted files can be malicious. If you accept files from those whom you do not trust, whether its via e-mail, instant message, Google Wave, or physical media, you well and truly deserve the virus that'll eventually infect your machine. Let's see.. *HOW* many years ago did we first see e-mail based viruses that depended on people opening them because they came from people they already knew? 'CHRISTMA EXEC' in 1984 comes to mind. The problem here is that Google Wave is for *collaboration* - which means that you're communicating with people you already know, and presumably trust to some degree or other. Hey Joe, look at this PDF and tell me what you think is something reasonable when the request comes from somebody who Joe knows and who has sent Joe PDF's in the past. I guarantee that if every time you receive a document that appears to be from your boss, you call back and ask if they really intended to send a document or if it's a virus, your boss will get very cranky with you very fast. Let's look at that original advisory again: An attacker could upload his malware to a wave and share it to his Google Wave contacts. Now change that to An attacker could trick/pwn some poor victim into uploading the malware to a wave Hilarity ensues. --000e0cd2e002580025047da0b22e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Well, that#39;s exactly what I#39;m saying.=A0 Pretending that this is so= me kind new exploit class simply because Google Wave is used is stupid.=A0 = This is the logical extension of e-mail and instant message and social netw= ork attacks to the next potential platform.br br-- Rohit Patnaikbrbrdiv class=3Dgmail_quoteOn Tue, Jan 19, 2010= at 8:10 PM, span dir=3Dltrlt;a href=3Dmailto:valdis.kletni...@vt.e= duvaldis.kletni...@vt.edu/agt;/span wrote:brblockquote class=3Dg= mail_quote style=3Dborder-left: 1px solid rgb(204, 204, 204); margin: 0pt= 0pt 0pt 0.8ex; padding-left: 1ex; div class=3DimOn Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:br gt; Yeah, no kidding. =A0Surprise! Untrusted files can be malicious. =A0If= youbr gt; accept files from those whom you do not trust, whether its via e-mail,= br gt; instant message, Google Wave, or physical media, you well and truly de= servebr gt; the virus that#39;ll eventually infect your machine.br br /divLet#39;s see.. *HOW* many years ago did we first see e-mail based vi= ruses thatbr depended on people opening them because they came from people they already= br knew? =A0#39;CHRISTMA EXEC#39; in 1984 comes to mind.br br The problem here is that Google Wave is for *collaboration* - which meansb= r that you#39;re communicating with people you already know, and presumably= br trust to some degree or other. quot;Hey Joe, look at this PDF and tell me= br what you thinkquot; is something reasonable when the request comes from so= mebodybr who Joe knows and who has sent Joe PDF#39;s in the past.br br I guarantee that if every time you receive a document that appears to be fr= ombr your boss, you call back and ask if they really intended to send a document= orbr if it#39;s a virus, your boss will get very cranky with you very fast.br br Let#39;s look at that original advisory again:br div class=3Dimbr gt;gt; An attacker could upload his malware to a wave and share it to his= br gt;gt; Google Wave contacts.br br /divNow change that to quot;An attacker could trick/pwn some poor victim= into uploadingbr the malware to a wavequot; =A0Hilarity ensues.br br br br /blockquote/divbr --000e0cd2e002580025047da0b22e-- --===1022691582== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ --===1022691582==-- http://www.cgisecurity.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
inb4 front page news 2010/1/21 bugt...@cgisecurity.net Well, that's exactly what I'm saying. Pretending that this is some kind new exploit class simply because Google Wave is used is stupid. This is the logical extension of e-mail and instant message and social network attacks to the next potential platform. Following in the history of the security community, we should coin a buzzword on this old issue with a new spin. WaveJacking sounds like a perfect fit. /sarcasm On Tue, Jan 19, 2010 at 8:10 PM, valdis.kletni...@vt.edu wrote: On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said: Yeah, no kidding. Surprise! Untrusted files can be malicious. If you accept files from those whom you do not trust, whether its via e-mail, instant message, Google Wave, or physical media, you well and truly deserve the virus that'll eventually infect your machine. Let's see.. *HOW* many years ago did we first see e-mail based viruses that depended on people opening them because they came from people they already knew? 'CHRISTMA EXEC' in 1984 comes to mind. The problem here is that Google Wave is for *collaboration* - which means that you're communicating with people you already know, and presumably trust to some degree or other. Hey Joe, look at this PDF and tell me what you think is something reasonable when the request comes from somebody who Joe knows and who has sent Joe PDF's in the past. I guarantee that if every time you receive a document that appears to be from your boss, you call back and ask if they really intended to send a document or if it's a virus, your boss will get very cranky with you very fast. Let's look at that original advisory again: An attacker could upload his malware to a wave and share it to his Google Wave contacts. Now change that to An attacker could trick/pwn some poor victim into uploading the malware to a wave Hilarity ensues. --000e0cd2e002580025047da0b22e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Well, that#39;s exactly what I#39;m saying.=A0 Pretending that this is so= me kind new exploit class simply because Google Wave is used is stupid.=A0 = This is the logical extension of e-mail and instant message and social netw= ork attacks to the next potential platform.br br-- Rohit Patnaikbrbrdiv class=3Dgmail_quoteOn Tue, Jan 19, 2010= at 8:10 PM, span dir=3Dltrlt;a href=3Dmailto: valdis.kletni...@vt.e= duvaldis.kletni...@vt.edu/agt;/span wrote:brblockquote class=3Dg= mail_quote style=3Dborder-left: 1px solid rgb(204, 204, 204); margin: 0pt= 0pt 0pt 0.8ex; padding-left: 1ex; div class=3DimOn Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:br gt; Yeah, no kidding. =A0Surprise! Untrusted files can be malicious. =A0If= youbr gt; accept files from those whom you do not trust, whether its via e-mail,= br gt; instant message, Google Wave, or physical media, you well and truly de= servebr gt; the virus that#39;ll eventually infect your machine.br br /divLet#39;s see.. *HOW* many years ago did we first see e-mail based vi= ruses thatbr depended on people opening them because they came from people they already= br knew? =A0#39;CHRISTMA EXEC#39; in 1984 comes to mind.br br The problem here is that Google Wave is for *collaboration* - which meansb= r that you#39;re communicating with people you already know, and presumably= br trust to some degree or other. quot;Hey Joe, look at this PDF and tell me= br what you thinkquot; is something reasonable when the request comes from so= mebodybr who Joe knows and who has sent Joe PDF#39;s in the past.br br I guarantee that if every time you receive a document that appears to be fr= ombr your boss, you call back and ask if they really intended to send a document= orbr if it#39;s a virus, your boss will get very cranky with you very fast.br br Let#39;s look at that original advisory again:br div class=3Dimbr gt;gt; An attacker could upload his malware to a wave and share it to his= br gt;gt; Google Wave contacts.br br /divNow change that to quot;An attacker could trick/pwn some poor victim= into uploadingbr the malware to a wavequot; =A0Hilarity ensues.br br br br /blockquote/divbr --000e0cd2e002580025047da0b22e-- --===1022691582== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ --===1022691582==-- http://www.cgisecurity.com/ ___ Full-Disclosure - We
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
Lol. Everyone keeps forgetting the social engineering aspects of utilizing exploits. Especially if someone is using AntiVirus 2011 and has a google wave account. On Tue, Jan 19, 2010 at 8:10 PM, valdis.kletni...@vt.edu wrote: On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said: Yeah, no kidding. Surprise! Untrusted files can be malicious. If you accept files from those whom you do not trust, whether its via e-mail, instant message, Google Wave, or physical media, you well and truly deserve the virus that'll eventually infect your machine. Let's see.. *HOW* many years ago did we first see e-mail based viruses that depended on people opening them because they came from people they already knew? 'CHRISTMA EXEC' in 1984 comes to mind. The problem here is that Google Wave is for *collaboration* - which means that you're communicating with people you already know, and presumably trust to some degree or other. Hey Joe, look at this PDF and tell me what you think is something reasonable when the request comes from somebody who Joe knows and who has sent Joe PDF's in the past. I guarantee that if every time you receive a document that appears to be from your boss, you call back and ask if they really intended to send a document or if it's a virus, your boss will get very cranky with you very fast. Let's look at that original advisory again: An attacker could upload his malware to a wave and share it to his Google Wave contacts. Now change that to An attacker could trick/pwn some poor victim into uploading the malware to a wave Hilarity ensues. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
That's what I said about human error, scanning is no solution unless a clear UI is used which makes social engineering practically impossible. On Wed, Jan 20, 2010 at 5:29 PM, omg wtf hexma...@gmail.com wrote: Lol. Everyone keeps forgetting the social engineering aspects of utilizing exploits. Especially if someone is using AntiVirus 2011 and has a google wave account. On Tue, Jan 19, 2010 at 8:10 PM, valdis.kletni...@vt.edu wrote: On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said: Yeah, no kidding. Surprise! Untrusted files can be malicious. If you accept files from those whom you do not trust, whether its via e-mail, instant message, Google Wave, or physical media, you well and truly deserve the virus that'll eventually infect your machine. Let's see.. *HOW* many years ago did we first see e-mail based viruses that depended on people opening them because they came from people they already knew? 'CHRISTMA EXEC' in 1984 comes to mind. The problem here is that Google Wave is for *collaboration* - which means that you're communicating with people you already know, and presumably trust to some degree or other. Hey Joe, look at this PDF and tell me what you think is something reasonable when the request comes from somebody who Joe knows and who has sent Joe PDF's in the past. I guarantee that if every time you receive a document that appears to be from your boss, you call back and ask if they really intended to send a document or if it's a virus, your boss will get very cranky with you very fast. Let's look at that original advisory again: An attacker could upload his malware to a wave and share it to his Google Wave contacts. Now change that to An attacker could trick/pwn some poor victim into uploading the malware to a wave Hilarity ensues. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
Well, that's exactly what I'm saying. Pretending that this is some kind new exploit class simply because Google Wave is used is stupid. This is the logical extension of e-mail and instant message and social network attacks to the next potential platform. -- Rohit Patnaik On Tue, Jan 19, 2010 at 8:10 PM, valdis.kletni...@vt.edu wrote: On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said: Yeah, no kidding. Surprise! Untrusted files can be malicious. If you accept files from those whom you do not trust, whether its via e-mail, instant message, Google Wave, or physical media, you well and truly deserve the virus that'll eventually infect your machine. Let's see.. *HOW* many years ago did we first see e-mail based viruses that depended on people opening them because they came from people they already knew? 'CHRISTMA EXEC' in 1984 comes to mind. The problem here is that Google Wave is for *collaboration* - which means that you're communicating with people you already know, and presumably trust to some degree or other. Hey Joe, look at this PDF and tell me what you think is something reasonable when the request comes from somebody who Joe knows and who has sent Joe PDF's in the past. I guarantee that if every time you receive a document that appears to be from your boss, you call back and ask if they really intended to send a document or if it's a virus, your boss will get very cranky with you very fast. Let's look at that original advisory again: An attacker could upload his malware to a wave and share it to his Google Wave contacts. Now change that to An attacker could trick/pwn some poor victim into uploading the malware to a wave Hilarity ensues. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
_ Security Advisory NSOADV-2010-002 _ _ Title: Google Wave Design Bugs Severity: Low Advisory ID:NSOADV-2010-002 Found Date: 16.11.2009 Date Reported: 18.11.2009 Release Date: 19.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-002.txt Vendor: Google (http://www.google.com/) Affected Products: Google Wave Preview (Date: = 14.01.2010) Not Affected Component: Google Wave Preview (Date: = 14.01.2010) Remote Exploitable: Yes Local Exploitable: No Patch Status: partially patched Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Google Wave is an online tool for real-time communication and collaboration. A wave can be both a conversation and a document where people can discuss and work together using richly formatted text, photos, videos, maps, and more. (Product description from Google Website) Description: All this possible attacks are the result of playing 4 hours with Google Wave. I didn't check all the funny stuff, which is possible with the Wave. 1. Gadget phishing attack: -- The Google Wave Gadget API can be used for phishing attacks. An attacker can build his own phishing Gadget, share it with his Google Wave contacts an hopefully get the login credentials from a user. This behavior is normal. The Problem is, that this bug makes it easier to steal logins. 2. Virus spreading attack: -- Uploads Files are not scanned for malicious code. An attacker could upload his malware to a wave and share it to his Google Wave contacts. Proof of Concept : == A proof of concept gadget can be found here: http://sotiriu.de/demos/phgadget.xml Solution: = 1. No changes made here. Workaround: Don't trust Waves. 2. Google builds in AV scanning. Disclosure Timeline (/MM/DD): = 2009.11.16: Vulnerability found 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.12.03) to Vendor 2009.11.23: Vendor response 2009.12.01: Ask for a status update, because the planned release date is 2009.12.03. 2009.12.03: Google Security Team asks for 2 more week to patch. 2009.12.03: Changed release date to 2009.12.17. 2009.12.15: Ask for a status update, because the planned release date is 2009.12.17. = No Response 2009.12.21: Ask for a status update. 2009.12.29: Google Security Team informs me, that there are no changes made before 2010.01.03. 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. 2010.01.19: Release of this Advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
This is the stupidest advisory I have read on this list in at least two months. 2010/1/19 NSO Research nso-resea...@sotiriu.de _ Security Advisory NSOADV-2010-002 _ _ Title: Google Wave Design Bugs Severity: Low Advisory ID:NSOADV-2010-002 Found Date: 16.11.2009 Date Reported: 18.11.2009 Release Date: 19.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-002.txt Vendor: Google (http://www.google.com/) Affected Products: Google Wave Preview (Date: = 14.01.2010) Not Affected Component: Google Wave Preview (Date: = 14.01.2010) Remote Exploitable: Yes Local Exploitable: No Patch Status: partially patched Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Google Wave is an online tool for real-time communication and collaboration. A wave can be both a conversation and a document where people can discuss and work together using richly formatted text, photos, videos, maps, and more. (Product description from Google Website) Description: All this possible attacks are the result of playing 4 hours with Google Wave. I didn't check all the funny stuff, which is possible with the Wave. 1. Gadget phishing attack: -- The Google Wave Gadget API can be used for phishing attacks. An attacker can build his own phishing Gadget, share it with his Google Wave contacts an hopefully get the login credentials from a user. This behavior is normal. The Problem is, that this bug makes it easier to steal logins. 2. Virus spreading attack: -- Uploads Files are not scanned for malicious code. An attacker could upload his malware to a wave and share it to his Google Wave contacts. Proof of Concept : == A proof of concept gadget can be found here: http://sotiriu.de/demos/phgadget.xml Solution: = 1. No changes made here. Workaround: Don't trust Waves. 2. Google builds in AV scanning. Disclosure Timeline (/MM/DD): = 2009.11.16: Vulnerability found 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.12.03) to Vendor 2009.11.23: Vendor response 2009.12.01: Ask for a status update, because the planned release date is 2009.12.03. 2009.12.03: Google Security Team asks for 2 more week to patch. 2009.12.03: Changed release date to 2009.12.17. 2009.12.15: Ask for a status update, because the planned release date is 2009.12.17. = No Response 2009.12.21: Ask for a status update. 2009.12.29: Google Security Team informs me, that there are no changes made before 2010.01.03. 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. 2010.01.19: Release of this Advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
Apparently not. Read Google's Response: 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. On Tue, Jan 19, 2010 at 7:11 AM, dramacrat yirim...@gmail.com wrote: This is the stupidest advisory I have read on this list in at least two months. 2010/1/19 NSO Research nso-resea...@sotiriu.de _ Security Advisory NSOADV-2010-002 _ _ Title: Google Wave Design Bugs Severity: Low Advisory ID:NSOADV-2010-002 Found Date: 16.11.2009 Date Reported: 18.11.2009 Release Date: 19.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-002.txt Vendor: Google (http://www.google.com/) Affected Products: Google Wave Preview (Date: = 14.01.2010) Not Affected Component: Google Wave Preview (Date: = 14.01.2010) Remote Exploitable: Yes Local Exploitable: No Patch Status: partially patched Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Google Wave is an online tool for real-time communication and collaboration. A wave can be both a conversation and a document where people can discuss and work together using richly formatted text, photos, videos, maps, and more. (Product description from Google Website) Description: All this possible attacks are the result of playing 4 hours with Google Wave. I didn't check all the funny stuff, which is possible with the Wave. 1. Gadget phishing attack: -- The Google Wave Gadget API can be used for phishing attacks. An attacker can build his own phishing Gadget, share it with his Google Wave contacts an hopefully get the login credentials from a user. This behavior is normal. The Problem is, that this bug makes it easier to steal logins. 2. Virus spreading attack: -- Uploads Files are not scanned for malicious code. An attacker could upload his malware to a wave and share it to his Google Wave contacts. Proof of Concept : == A proof of concept gadget can be found here: http://sotiriu.de/demos/phgadget.xml Solution: = 1. No changes made here. Workaround: Don't trust Waves. 2. Google builds in AV scanning. Disclosure Timeline (/MM/DD): = 2009.11.16: Vulnerability found 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.12.03) to Vendor 2009.11.23: Vendor response 2009.12.01: Ask for a status update, because the planned release date is 2009.12.03. 2009.12.03: Google Security Team asks for 2 more week to patch. 2009.12.03: Changed release date to 2009.12.17. 2009.12.15: Ask for a status update, because the planned release date is 2009.12.17. = No Response 2009.12.21: Ask for a status update. 2009.12.29: Google Security Team informs me, that there are no changes made before 2010.01.03. 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. 2010.01.19: Release of this Advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
Yeah, no kidding. Surprise! Untrusted files can be malicious. If you accept files from those whom you do not trust, whether its via e-mail, instant message, Google Wave, or physical media, you well and truly deserve the virus that'll eventually infect your machine. -- Rohit Patnaik On Tue, Jan 19, 2010 at 7:11 AM, dramacrat yirim...@gmail.com wrote: This is the stupidest advisory I have read on this list in at least two months. 2010/1/19 NSO Research nso-resea...@sotiriu.de _ Security Advisory NSOADV-2010-002 _ _ Title: Google Wave Design Bugs Severity: Low Advisory ID:NSOADV-2010-002 Found Date: 16.11.2009 Date Reported: 18.11.2009 Release Date: 19.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2010-002.txt Vendor: Google (http://www.google.com/) Affected Products: Google Wave Preview (Date: = 14.01.2010) Not Affected Component: Google Wave Preview (Date: = 14.01.2010) Remote Exploitable: Yes Local Exploitable: No Patch Status: partially patched Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: === Google Wave is an online tool for real-time communication and collaboration. A wave can be both a conversation and a document where people can discuss and work together using richly formatted text, photos, videos, maps, and more. (Product description from Google Website) Description: All this possible attacks are the result of playing 4 hours with Google Wave. I didn't check all the funny stuff, which is possible with the Wave. 1. Gadget phishing attack: -- The Google Wave Gadget API can be used for phishing attacks. An attacker can build his own phishing Gadget, share it with his Google Wave contacts an hopefully get the login credentials from a user. This behavior is normal. The Problem is, that this bug makes it easier to steal logins. 2. Virus spreading attack: -- Uploads Files are not scanned for malicious code. An attacker could upload his malware to a wave and share it to his Google Wave contacts. Proof of Concept : == A proof of concept gadget can be found here: http://sotiriu.de/demos/phgadget.xml Solution: = 1. No changes made here. Workaround: Don't trust Waves. 2. Google builds in AV scanning. Disclosure Timeline (/MM/DD): = 2009.11.16: Vulnerability found 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.12.03) to Vendor 2009.11.23: Vendor response 2009.12.01: Ask for a status update, because the planned release date is 2009.12.03. 2009.12.03: Google Security Team asks for 2 more week to patch. 2009.12.03: Changed release date to 2009.12.17. 2009.12.15: Ask for a status update, because the planned release date is 2009.12.17. = No Response 2009.12.21: Ask for a status update. 2009.12.29: Google Security Team informs me, that there are no changes made before 2010.01.03. 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. 2010.01.19: Release of this Advisory ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs
On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said: Yeah, no kidding. Surprise! Untrusted files can be malicious. If you accept files from those whom you do not trust, whether its via e-mail, instant message, Google Wave, or physical media, you well and truly deserve the virus that'll eventually infect your machine. Let's see.. *HOW* many years ago did we first see e-mail based viruses that depended on people opening them because they came from people they already knew? 'CHRISTMA EXEC' in 1984 comes to mind. The problem here is that Google Wave is for *collaboration* - which means that you're communicating with people you already know, and presumably trust to some degree or other. Hey Joe, look at this PDF and tell me what you think is something reasonable when the request comes from somebody who Joe knows and who has sent Joe PDF's in the past. I guarantee that if every time you receive a document that appears to be from your boss, you call back and ask if they really intended to send a document or if it's a virus, your boss will get very cranky with you very fast. Let's look at that original advisory again: An attacker could upload his malware to a wave and share it to his Google Wave contacts. Now change that to An attacker could trick/pwn some poor victim into uploading the malware to a wave Hilarity ensues. pgp17lPMlmDaK.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/