lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <OFEC66DEC2.BB0B1ADA-ONC2257519.006AB11A-C2257519.006ADE46@il.ibm.com>
Date: Mon, 8 Dec 2008 21:27:17 +0200
From: Yair Amit <AMITYAIR@...ibm.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Breaking Google Gears' Cross-Origin Communication
	Model


Hello,

I recently discovered a flaw in the cross-origin communication security
model of Google Gears that could allow attackers to break-out of the
same-origin policy and mount large scale user-impersonation attacks under
certain conditions.

After coordinating a fix with Google, I can now reveal the full details.
You are invited to read them at
http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html.

To make sure you are secure, it is advisable to verify that you have the
latest version of Google-Gears (currently 0.5.4.2) installed on your
system. If that is not the case, it can be obtained from the Google Gears
website (http://gears.google.com).

I would like to thank the Google Gears security team for their quick
responses and the efficient way in which they handled this security issue.

Best Regards,
      Yair Amit
      Senior Security Researcher
      IBM Rational Application Security

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ