| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Jan 2010 17:49:53 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: Benji <me@...ji.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cross Site Identification (CSID) attack.
Description and demonstration.
{hahahaha}
In fact, I didn't see Gmail mentioned anywhere. Perhaps it just
affects JSON/AJAX-intensive-without-XSRF-tokens sites?
On Wed, Jan 13, 2010 at 5:47 PM, Benji <me@...ji.com> wrote:
> yes, but scarier BECAUSE IT INVOLVES FACEBOOK ARGH!
>
> On Wed, Jan 13, 2010 at 4:45 PM, Christian Sciberras <uuf6429@...il.com>
> wrote:
>>
>> I'm confused, isn't this just like XSRF (cross-site request forgery)?
>>
>> Regards,
>> Chris.
>>
>>
>> On Wed, Jan 13, 2010 at 4:33 PM, Ronen Z <ronen@...ji.com> wrote:
>> > Hi,
>> >
>> > A new type of vulnerability is described in which publicly available
>> > information from social network sites obtained out of context, can be
>> > used
>> > to identify a user in cases where anonymity is taken for granted.
>> >
>> > This attack (dubbed Cross Site Identification, or CSID) assumes the
>> > following scenario: A user that is currently logged on to her social
>> > network
>> > account visits a 3rd party site, supposedly anonymously, in another
>> > browser
>> > tab. The 3rd party site causes her browser to contact the social network
>> > site and exploit the vulnerability resulting in her identity being
>> > disclosed
>> > to the attacker. The 3rd party target site is not necessarily controlled
>> > by
>> > the attacker. It could also be, for example, any site allowing user
>> > provided
>> > content that includes an image link (basically any forum or blog site).
>> > Other possibilities exist.
>> >
>> > While the information that is received by the attacker is technically
>> > publicly available, obtaining it in this manner effectively lifts the
>> > veil
>> > of anonymity from the user when interacting with the 3rd party site.
>> >
>> > Three social networks were tested and all were found to contain the
>> > vulnerability. These are Facebook, Orkut and Bebo. Some of the
>> > vulnerabilities were design flaws. The vulnerabilities are described and
>> > demonstrated. The sites were contacted in advance yet some of the
>> > vulnerabilities are still open.
>> >
>> > CSID is not bound only to social network sites but might be found on any
>> > site that authenticates its users. Various flavors of the attack are
>> > discussed.
>> >
>> >
>> > The post below contains a detailed description of the attack and its
>> > implications. It also includes details about the live vulnerabilities
>> > found.
>> >
>> > Post/White Paper:
>> > http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html
>> >
>> >
>> >
>> >
>> > Ronen Zilberman
>> > http://quaji.com
>> >
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists