[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3af3d47c1001130845l27dc333ftf899c8ea93ba290a@mail.gmail.com>
Date: Wed, 13 Jan 2010 17:45:56 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: Ronen Z <ronen@...ji.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cross Site Identification (CSID) attack.
Description and demonstration.
I'm confused, isn't this just like XSRF (cross-site request forgery)?
Regards,
Chris.
On Wed, Jan 13, 2010 at 4:33 PM, Ronen Z <ronen@...ji.com> wrote:
> Hi,
>
> A new type of vulnerability is described in which publicly available
> information from social network sites obtained out of context, can be used
> to identify a user in cases where anonymity is taken for granted.
>
> This attack (dubbed Cross Site Identification, or CSID) assumes the
> following scenario: A user that is currently logged on to her social network
> account visits a 3rd party site, supposedly anonymously, in another browser
> tab. The 3rd party site causes her browser to contact the social network
> site and exploit the vulnerability resulting in her identity being disclosed
> to the attacker. The 3rd party target site is not necessarily controlled by
> the attacker. It could also be, for example, any site allowing user provided
> content that includes an image link (basically any forum or blog site).
> Other possibilities exist.
>
> While the information that is received by the attacker is technically
> publicly available, obtaining it in this manner effectively lifts the veil
> of anonymity from the user when interacting with the 3rd party site.
>
> Three social networks were tested and all were found to contain the
> vulnerability. These are Facebook, Orkut and Bebo. Some of the
> vulnerabilities were design flaws. The vulnerabilities are described and
> demonstrated. The sites were contacted in advance yet some of the
> vulnerabilities are still open.
>
> CSID is not bound only to social network sites but might be found on any
> site that authenticates its users. Various flavors of the attack are
> discussed.
>
>
> The post below contains a detailed description of the attack and its
> implications. It also includes details about the live vulnerabilities found.
>
> Post/White Paper:
> http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html
>
>
>
>
> Ronen Zilberman
> http://quaji.com
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists