lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Jan 2010 17:40:12 +0200
From: Ronen Z <ronen@...ji.com>
To: bugtraq@...urityfocus.com
Subject: Cross Site Identification (CSID) attack. Description and 
	demonstration.

Hi,

A new type of vulnerability is described in which publicly available
information from social network sites obtained out of context, can be
used to identify a user in cases where anonymity is taken for granted.

This attack (dubbed Cross Site Identification, or CSID) assumes the
following scenario: A user that is currently logged on to her social
network account visits a 3rd party site, supposedly anonymously, in
another browser tab. The 3rd party site causes her browser to contact
the social network site and exploit the vulnerability resulting in her
identity being disclosed to the attacker. The 3rd party target site is
not necessarily controlled by the attacker. It could also be, for
example, any site allowing user provided content that includes an
image link (basically any forum or blog site). Other possibilities
exist.

While the information that is received by the attacker is technically
publicly available, obtaining it in this manner effectively lifts the
veil of anonymity from the user when interacting with the 3rd party
site.

Three social networks were tested and all were found to contain the
vulnerability. These are Facebook, Orkut and Bebo. Some of the
vulnerabilities were design flaws. The vulnerabilities are described
and demonstrated. The sites were contacted in advance yet some of the
vulnerabilities are still open.

CSID is not bound only to social network sites but might be found on
any site that authenticates its users. Various flavors of the attack
are discussed.


The post below contains a detailed description of the attack and its
implications. It also includes details about the live vulnerabilities
found.

Post/White Paper:
http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html




Ronen Zilberman
http://quaji.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ