lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3a166c090604181221m49111a9ewfbf46d84e1daf68a@mail.gmail.com>
Date: Tue Apr 18 20:21:55 2006
From: n3td3v at gmail.com (n3td3v)
Subject: Google Groups e-mail disclosure in plain text

Vendor:
Google Inc (GOOG).

Service:
Groups.

Description:
Google has an archive of Usenet since 1981 on its network. However,
Google decided to build a new Groups interface known as Google Groups
2 or GG2 for short.

Issue:
Bot network harvesting of e-mail address in plain text via web
interface headers.

Steps Google already take to prevent plain text e-mail disclosure:
Google obscure an e-mail address in message headers via web interface.

Google allow you to view an e-mail address in plain text via word
verification system -only, via the web interface.

Problem:
Google forgot to add obscurity measures for forwarded messages, and so
an e-mail address is readable via web interface headers,  in plain
text.

See here for further info:
http://groups.google.com/group/Groups-Suggestions/browse_thread/thread/d46a06d9d9fac8ef/9425615a2859ec6f#9425615a2859ec6f

How long n3td3v has know about this issue:
Since 2004, when GG2 was launched in beta format.

Why wait:
Because I was hoping this easy to fix issue would be sorted by now,
but its not been, so I issued an advisory last night via the official
GG2 group, to make the GG2 team 100% fully aware of the problem.

History:
#1 n3td3v released cross-site scripting vulnerability for Google
Groups browse thread in December 2004 (This attack targeted the
general public.)
#2 n3td3v released cross-site scripting vulnerability for Google
Groups pending message December 2005 (This attack targeted owner and
moderators only.)
#3 n3td3v released sender e-mail in plain text vulnerability for
Google Groups forwarded message April 2006
(This attack targeted the general public)

Credit:
n3td3v

Personal:
I'll see you next time Google!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ