lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-id: <480B26BB.23181.6B272037@nick.virus-l.demon.co.uk>
Date: Sun, 20 Apr 2008 11:19:23 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: Google Security <security@...gle.com>,
	Alexander Konovalenko <alexkon@...il.com>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
	Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Injecting spam into Google Web History via
 I'm Feeling Lucky queries

Alexander Konovalenko wrote:

> Google Web History is vulnerable to a CSRF-like attack that allows an
> attacker to inject some entries into the user's search history.  ...

Ummmm -- that's not an "attack"; it's a feature!

> ...  If you
> are logged in to your Google account and have Web History enabled,
> clicking on a malicious link will result in a Google search being
> logged to your search history without your consent.

As will clicking on a "non-malicious" link inducing a Google search 
(one may argue that any link that induces a Google search is a 
malicious link, but that would make google.com inherently evil and we 
surely aren't ready to conced that, yet, are we??).

What you've described is simply Google Web History doing what it is 
designed to do.  If you don't want GWH to record all your Google 
searches, don't login to your Google account while browsing the web in 
general, _or_ don't enable GWH.

If you don't like that Google can be induced to auto-search-and-
redirect via a URL embedded in a page (or HTML Email, etc) then use a 
browser, MUA, etc that doesn't handle iframe tags (or at least gives 
you a degree of control over them).

If you don't like Google's "I'm feeling lucky" feature, then complain 
to Google that they shouldn't write crap-lets like "I'm feeling lucky" 
which don't, at a minimum, check that the  referer is a legitimate 
Google domain.

The latter won't actually help -- the bad guys have been abusing "I'm 
feeling lucky" for quite a while now and Google clearly has decided to 
stay on the side of spammer-friendly technology enablers and has done 
nothing suitable about the situation (the necessary server-side referer 
checking code to break all simple malicious use of this "feature" of 
Google search should not be that far beyond the ken of their reputedly 
massive number of Ph.D-wielding employees, so their lack of action 
toward such a move must mean that Google prefers to remain the spam-
friendly redirector farm of choice).

> The malicious link can look something like this: <a
> href="http://www.google.com/search?q=ENLARGE+YOUR+WHATEVER+NOW+uniquePageId+site:example.com&amp;btnI=I'm+Feeling+Lucky">
> compelling vista exploits, free beer and cat pictures</a>

Such URLs have been used in spam for quite some time, but their general 
purpose is not to get some triflingly short-lived spam URL into folks' 
Google Web Histories (should they even have this feature enabled), but 
simply was a convenient anti-spam-filtering workaround until the anti-
spammers devised Google "I'm feeling lucky" URL parsers (i.e., when 
first used by spammers, the anti-spammers couldn't simply write filters 
to outright block arbitrary www.google.com, and its many "localized" 
variants, URLs).

> It will perform an I'm Feeling Lucky search on your behalf that will
> immediately redirect you to a specific example.com page prepared by
> the attacker in advance. For the attack to work, the page should be
> indexed by Google and should match the query keywords ("enlarge",
> "your" and so on). To ensure that the link always leads to a specific
> page, the attacker can include the same unique word ("uniquePageId")
> in the text of the destination page and in the search query. Besides
> these requirements, the destination page can have any content.

As I said...

See the following page (search for "Are you feeling lucky, Sergey?"):

   http://www.jgc.org/tsc.html

> To spam you with numerous Web History entries the attacker needs to
> vary the search queries embedded into his links.

Ahh yes -- that's wondrously trivial, but I'll not help the bad guys by 
describing here the several ways I've already thought of to morph these 
kinds of URLs and which the bad guys have either not already devised 
(or, at least, not already used).


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ