lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAJPzsLN-=yVHY=td1q85ae1y-1ibQckAbMHCd8zzbUbUwQFY3A@mail.gmail.com>
Date: Tue, 6 Aug 2013 16:07:58 -0400
From: Craig Young <vuln-report@...ur3.us>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com, security@...gle.com
Subject: Attacking Google Accounts with 'weblogin:' Tokens

For those who missed it, I would like to spread awareness about how
conveniences built into the Google eco-system can allow an
application, a physical user, or a forensics expert to access almost
everything in your Google account.

[LINKS]
A nice summary from Lucian Constantine:
http://www.pcworld.com/article/2045903/android-oneclick-google-authentication-method-puts-users-businesses-at-risk.html

Intro Blog: http://www.tripwire.com/state-of-security/off-topic/defcon-sneak-peek-how-risky-is-google-apps-for-your-business/
DEF CON 21 slides are here: http://secur3.us/DC21Slides.pdf
Brief Demo Recording: http://secur3.us/DC21-ShortDemo.mp4
Android PoC here: http://secur3.us/DC21-PoC.apk
PoC Source here: http://secur3.us/DC21-PoC.java

Please note that the app will send your token to my server. I am not
doing anything with them but it will log your account names on my
server.  I would like to encourage all Android AV vendors to strive to
block not just this app but any app which is sending tokens off the
device.  I am also recommending that any Google Apps administrator
accounts should not be used with Android devices -- you wouldn't
browse web sites and run untrusted code as root, would you?  (i.e.
follow the principle of least permission)

My proof of concept used Android with AccountManager API calls but
this threat extends beyond Android and likely onto anything which will
run Chrome.  For example, iPhone/iPad support the same feature I am
abusing according to Google:
http://www.google.com/intl/en/chrome/browser/mobile/ios.html and
Mac/PC Chrome also definitely supports this as outlined by Duo
Security's recent blog post:
https://blog.duosecurity.com/2013/08/beyond-google-application-specific-password-exploiting-google-chromes-stored-oauth2-tokens/

Thanks,
Craig Young
Senior Security Researcher, Tripwire VERT
Follow: @CraigTweets

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ