lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 21 Jan 2010 21:28:24 +1100
From: dramacrat <yirimyah@...il.com>
To: bugtraq@...security.net
Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu
Subject: Re: NSOADV-2010-002: Google Wave Design Bugs

inb4 front page news

2010/1/21 <bugtraq@...security.net>

> > Well, that's exactly what I'm saying.  Pretending that this is some kind
> new
> > exploit class simply because Google Wave is used is stupid.  This is the
> > logical extension of e-mail and instant message and social network
> attacks
> > to the next potential platform.
>
> Following in the history of the security community, we should coin a
> buzzword on this old issue with a new spin.
> WaveJacking sounds like a perfect fit.
> </sarcasm>
>
>
> > On Tue, Jan 19, 2010 at 8:10 PM, <Valdis.Kletnieks@...edu> wrote:
> >
> > > On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:
> > > > Yeah, no kidding.  Surprise! Untrusted files can be malicious.  If
> you
> > > > accept files from those whom you do not trust, whether its via
> e-mail,
> > > > instant message, Google Wave, or physical media, you well and truly
> > > deserve
> > > > the virus that'll eventually infect your machine.
> > >
> > > Let's see.. *HOW* many years ago did we first see e-mail based viruses
> that
> > > depended on people opening them because they came from people they
> already
> > > knew?  'CHRISTMA EXEC' in 1984 comes to mind.
> > >
> > > The problem here is that Google Wave is for *collaboration* - which
> means
> > > that you're communicating with people you already know, and presumably
> > > trust to some degree or other. "Hey Joe, look at this PDF and tell me
> > > what you think" is something reasonable when the request comes from
> > > somebody
> > > who Joe knows and who has sent Joe PDF's in the past.
> > >
> > > I guarantee that if every time you receive a document that appears to
> be
> > > from
> > > your boss, you call back and ask if they really intended to send a
> document
> > > or
> > > if it's a virus, your boss will get very cranky with you very fast.
> > >
> > > Let's look at that original advisory again:
> > >
> > > >> An attacker could upload his malware to a wave and share it to his
> > > >> Google Wave contacts.
> > >
> > > Now change that to "An attacker could trick/pwn some poor victim into
> > > uploading
> > > the malware to a wave...."  Hilarity ensues.
> > >
> > >
> > >
> > >
> >
> > --000e0cd2e002580025047da0b22e
> > Content-Type: text/html; charset=ISO-8859-1
> > Content-Transfer-Encoding: quoted-printable
> >
> > Well, that&#39;s exactly what I&#39;m saying.=A0 Pretending that this is
> so=
> > me kind new exploit class simply because Google Wave is used is
> stupid.=A0 =
> > This is the logical extension of e-mail and instant message and social
> netw=
> > ork attacks to the next potential platform.<br>
> > <br>-- Rohit Patnaik<br><br><div class=3D"gmail_quote">On Tue, Jan 19,
> 2010=
> >  at 8:10 PM,  <span dir=3D"ltr">&lt;<a href=3D"mailto:
> Valdis.Kletnieks@...e=
> > du">Valdis.Kletnieks@...edu</a>&gt;</span> wrote:<br><blockquote
> class=3D"g=
> > mail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin:
> 0pt=
> >  0pt 0pt 0.8ex; padding-left: 1ex;">
> > <div class=3D"im">On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik
> said:<br>
> > &gt; Yeah, no kidding. =A0Surprise! Untrusted files can be malicious.
> =A0If=
> >  you<br>
> > &gt; accept files from those whom you do not trust, whether its via
> e-mail,=
> > <br>
> > &gt; instant message, Google Wave, or physical media, you well and truly
> de=
> > serve<br>
> > &gt; the virus that&#39;ll eventually infect your machine.<br>
> > <br>
> > </div>Let&#39;s see.. *HOW* many years ago did we first see e-mail based
> vi=
> > ruses that<br>
> > depended on people opening them because they came from people they
> already<=
> > br>
> > knew? =A0&#39;CHRISTMA EXEC&#39; in 1984 comes to mind.<br>
> > <br>
> > The problem here is that Google Wave is for *collaboration* - which
> means<b=
> > r>
> > that you&#39;re communicating with people you already know, and
> presumably<=
> > br>
> > trust to some degree or other. &quot;Hey Joe, look at this PDF and tell
> me<=
> > br>
> > what you think&quot; is something reasonable when the request comes from
> so=
> > mebody<br>
> > who Joe knows and who has sent Joe PDF&#39;s in the past.<br>
> > <br>
> > I guarantee that if every time you receive a document that appears to be
> fr=
> > om<br>
> > your boss, you call back and ask if they really intended to send a
> document=
> >  or<br>
> > if it&#39;s a virus, your boss will get very cranky with you very
> fast.<br>
> > <br>
> > Let&#39;s look at that original advisory again:<br>
> > <div class=3D"im"><br>
> > &gt;&gt; An attacker could upload his malware to a wave and share it to
> his=
> > <br>
> > &gt;&gt; Google Wave contacts.<br>
> > <br>
> > </div>Now change that to &quot;An attacker could trick/pwn some poor
> victim=
> >  into uploading<br>
> > the malware to a wave....&quot; =A0Hilarity ensues.<br>
> > <br>
> > <br>
> > <br>
> > </blockquote></div><br>
> >
> > --000e0cd2e002580025047da0b22e--
> >
> >
> > --===============1022691582==
> > Content-Type: text/plain; charset="us-ascii"
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> > --===============1022691582==--
> >
> >
> http://www.cgisecurity.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ