| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Nov 2014 13:36:51 -0600 From: Nick Semenkovich <nick@...enkovich.com> To: Jing Wang <justqdjing@...il.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net One of the cuter things I saw today was an "I'm Feeling Lucky" + unique search term trick. e.g. https://www.google.com/#&q=SomeUniqueLongStringHere&btnI=denoqa (Specifically the string "uhcjljmguohkmywgylmin" I imagine this'll be adapted for some slightly more believable phishing URLs.) On Thu, Nov 13, 2014 at 12:58 AM, Jing Wang <justqdjing@...il.com> wrote: > Bypass Google Open Redirect Filter Based on Googleads.g.doubleclick.net > <http://googleads.g.doubleclick.net/> > -- Google Covert Redirect Vulnerability Based on Googleads.g.doubleclick.net > <http://googleads.g.doubleclick.net/> > > > > The vulnerability exists at "Logout?" page with "&continue" parameter, i.e. > https://www.google.com/accounts/Logout?service=writely&continue=https://googleads.g.doubleclick.net > > > > The vulnerability can be attacked without user login. Tests were performed > on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7. > > > > (1) When a user is redirected from Google to another site, Google will > check whether the redirected URL belongs to domains in Google's whitelist > (The whitelist usually contains websites belong to Google), e.g. > docs.google.com > googleads.g.doubleclick.net > > > > If this is true, the redirection will be allowed. > > However, if the URLs in a redirected domain have open URL redirection > vulnerabilities themselves, a user could be redirected from Google to a > vulnerable URL in that domain first and later be redirected from this > vulnerable site to a malicious site. This is as if being redirected from > Google directly. > > One of the vulnerable domain is, > googleads.g.doubleclick.net (Google's Ad System) > > > > > (2) Use one webpage for the following tests. The webpage address is " > http://www.inzeed.com/kaleidoscope". We can suppose that this webpage is > malicious. > > > > Vulnerable URL: > https://www.google.com/accounts/Logout?service=writely&continue=https://google.com/ > > > > POC: > https://www.google.com/accounts/Logout?service=wise&continue=http%3A%2F%2Fgoogleads.g.doubleclick.net%2Faclk%3Fsa%3DL%26ai%3DCtHoIVxn3UvjLOYGKiAeelIHIBfLQnccEAAAQASAAUNTx5Pf4_____wFgvwWCARdjYS1wdWItMDQ2NjU4MjEwOTU2NjUzMsgBBOACAKgDAaoE5AFP0NHr5cHwFmWgKNs6HNTPVk7TWSV-CDHX83dKdGSWJ2ADoZNIxUHZwjAODRyDY_7nVtpuqSLOTef4xzVxDQ2U22MNbGak33Ur7i2jDB8LdYt9TbC3ifsXmklY5jl3Zpq4_lP7wagVfjt0--tNPPGTR96NGbxgPvfHMq9ZsTXpjhc_lPlnyGjlWzF8yn437iaxhGRwYLt_CymifLO2YaJPkCm9nLpONtUM-mstUSpKQrP2VjjaZkbDtuK0naLLBV37aYEY4TzWQi8fQGN47z4XgpinBCna91zQayZjn2wxccDCl0zgBAGgBhU%26num%3D0%26sig%3DAOD64_3Qi4qG3CRVHRI5AHSkSGuL7HJqSA%26client%3Dca-pub-0466582109566532%26adurl%3Dhttp%3A%2F%2Fwww.inzeed.com%2Fkaleidoscope > > > > POC Video: > https://www.youtube.com/watch?v=btuSq89khcQ&feature=youtu.be > > > > Reporter: > Wang Jing, Mathematics, Nanyang Technological University > http://www.tetraph.com/wangjing > > > > > > More Details: > http://computerobsess.blogspot.com/2014/11/google-covert-redirect-vulnerability.html > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ -- Nick Semenkovich Laboratory of Dr. Jeffrey I. Gordon Medical Scientist Training Program School of Medicine Washington University in St. Louis https://nick.semenkovich.com/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists