lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 30 Sep 2008 23:23:18 +0100
From: n3td3v <xploitable@...il.com>
To: full-disclosure@...ts.grok.org.uk, n3td3v <n3td3v@...glegroups.com>
Cc: security@...gle.com
Subject: Google Adsense bot exploitable? (Was: Supporters
	urge halt to, hacker's, extradition to US)

On Tue, Sep 30, 2008 at 10:55 PM, Eliah Kagan
<degeneracypressure@...il.com> wrote:
> I wrote:
>>> When a http indexing bot (like those used by Google, for instance)
>>> comes upon a hyperlink into a page that is http authenticated, does it
>>> follow the link and try a blank password, or does it not follow the
>>> link? Is there some accepted standard for that?
>>>
>>> If it is considered acceptable to assume that access is permitted to
>>> any system that doesn't have passwords set but present http
>>> authentication, it would be hard to argue that other forms of
>>> authentication are different. Of course, having gained access, making
>>> deliberate modifications, however slight, would be illegal.
>
> n3td3v wrote:
>> All you do is give Googlebot the password and hey presto! Read below:
>>
>> https://www.google.com/adsense/support/bin/answer.py?answer=37081
>
> Yes, but what I'm asking about is what happens if the Google bot (or
> other bots) are indexing and come upon a hyperlink, which otherwise
> would be followed, of the form:
>
> http://someone@[subdomains.]somewhere.tld
>
> Does it then try the null ("") password to authenticate, or does it
> stop there? Would it be considered computer fraud to try the null
> password in this situation?
>
> This is not necessary a page of a Google AdSense customer. It could be anything.
>
> Isn't think what happened to make a whole bunch of Papa Johns'
> corporate emails public via the Google cache? (And nobody pressed
> criminal charges against Google developers...)
>
> -Eliah
>

Could the bad guys exploit this Adsense bot to do a bit of
reconnaissance work if they had obtained passwords and given them to
the bot? What kind of info does Adsense bot give back to the bad guys
about password-protected pages it has been told to access? I'm not
talking about the Mckinnon case right now, I just think I might have
just opened a can of worms on a seperate issue. This bot could go in
to places and break the law, while the bad guys break no law? This
needs to be researched.

All the best,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ