lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f5dc671001130847k29033e3di618430fec6be66ae@mail.gmail.com>
Date: Wed, 13 Jan 2010 16:47:54 +0000
From: Benji <me@...ji.com>
To: Christian Sciberras <uuf6429@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Cross Site Identification (CSID) attack.
	Description and demonstration.

yes, but scarier BECAUSE IT INVOLVES FACEBOOK ARGH!

On Wed, Jan 13, 2010 at 4:45 PM, Christian Sciberras <uuf6429@...il.com>wrote:

> I'm confused, isn't this just like XSRF (cross-site request forgery)?
>
> Regards,
> Chris.
>
>
> On Wed, Jan 13, 2010 at 4:33 PM, Ronen Z <ronen@...ji.com> wrote:
> > Hi,
> >
> > A new type of vulnerability is described in which publicly available
> > information from social network sites obtained out of context, can be
> used
> > to identify a user in cases where anonymity is taken for granted.
> >
> > This attack (dubbed Cross Site Identification, or CSID) assumes the
> > following scenario: A user that is currently logged on to her social
> network
> > account visits a 3rd party site, supposedly anonymously, in another
> browser
> > tab. The 3rd party site causes her browser to contact the social network
> > site and exploit the vulnerability resulting in her identity being
> disclosed
> > to the attacker. The 3rd party target site is not necessarily controlled
> by
> > the attacker. It could also be, for example, any site allowing user
> provided
> > content that includes an image link (basically any forum or blog site).
> > Other possibilities exist.
> >
> > While the information that is received by the attacker is technically
> > publicly available, obtaining it in this manner effectively lifts the
> veil
> > of anonymity from the user when interacting with the 3rd party site.
> >
> > Three social networks were tested and all were found to contain the
> > vulnerability. These are Facebook, Orkut and Bebo. Some of the
> > vulnerabilities were design flaws. The vulnerabilities are described and
> > demonstrated. The sites were contacted in advance yet some of the
> > vulnerabilities are still open.
> >
> > CSID is not bound only to social network sites but might be found on any
> > site that authenticates its users. Various flavors of the attack are
> > discussed.
> >
> >
> > The post below contains a detailed description of the attack and its
> > implications. It also includes details about the live vulnerabilities
> found.
> >
> > Post/White Paper:
> > http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html
> >
> >
> >
> >
> > Ronen Zilberman
> > http://quaji.com
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ