lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <21bcc0400712111501u6cbe7d83g7e201471beee8450@mail.gmail.com>
Date: Tue, 11 Dec 2007 18:01:55 -0500
From: "Aaron Katz" <atkatz@...il.com>
To: "Joseph Hick" <leet16y@...oo.com>
Cc: Kristian Erik Hermansen <kristian.hermansen@...il.com>,
	full-disclosure@...ts.grok.org.uk
Subject: Re: Google / GMail bug, all accounts vulnerable

Joseph,

I don't expect it's actually the image loading that does anything.  I
took a quick scan of the source when the problem was visible, and it
was evident that two things were happening:

1) Stuff was being loaded from a personal location on
somewhere.google.com, where "somewhere" appeared to be a personal
system/domain, named after the original poster.

2) JavaScript code was being loaded.

My strong suspicion is that the original poster simply created a
JavaScript script in somewhere.google.com, and this JavaScript deleted
the cookie.  This would work if the session cookie is restricted to
google.com, which would let any web server in, or content served from
the google.com domain (or any subdomain).

My note about using NoScript to restrict JavaScript execution to
mail.google.com reinforces this suspicion.

If my suspicion is correct, then google did two things.  First, google
appears to allow individuals to create personal domain names in
google.com, and to place arbitrary content in those domains.  This
first thing probalby allowed the original poster to place the
JavaScript in a location where it could access the google.com cookie.
Second, google apparantly did not restrict the gmail cookie to
mail.google.com.  This second thing allowed the JavaScript from the
personal system at somewhere.google.com to access the cookie.


Of course, I only did a cursory glance at the source of the webpage,
so I may be wrong :)  But, we can be reasonably sure it's not
exploiting a problem in the browser, since the issue appears to be
cross browser.

--
Aaron

On 12/8/07, Joseph Hick <leet16y@...oo.com> wrote:
> could someone please explain how this PoC works? I wonder why simply loading
> an image logs me out
>
> Kristian Erik Hermansen <kristian.hermansen@...il.com> wrote:
> On Dec 7, 2007 7:40 AM, Aaron Katz wrote:
> > Could you please explain the vulnerability? When I test, and I submit
> > a correct response to the CAPTCHA, I'm presented with knowledge based
> > authentication.
>
> The bug, unless Google fixed it already, will have an affect on your
> GMail account, but has nothing to do with CAPTCHAs. Here is an
> illustration....
>
> * You are happily browsing some emails in GMail.
> * You then visit any website which utilizes my PoC. (one @
> http://www.kristian-hermansen.com)
> * You try to use your GMail account, but something went wrong.
> * You ask yourself what happened...
> --
> Kristian Erik Hermansen
> "I have no special talent. I am only passionately curious."
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> ________________________________
> Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it
> now.
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ