| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4B559324.5010703@sotiriu.de>
Date: Tue, 19 Jan 2010 12:10:28 +0100
From: NSO Research <nso-research@...iriu.de>
To: full-disclosure@...ts.grok.org.uk
Subject: NSOADV-2010-002: Google Wave Design Bugs
_________________________________________
Security Advisory NSOADV-2010-002
_________________________________________
_________________________________________
Title: Google Wave Design Bugs
Severity: Low
Advisory ID: NSOADV-2010-002
Found Date: 16.11.2009
Date Reported: 18.11.2009
Release Date: 19.01.2010
Author: Nikolas Sotiriu (lofi)
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2010-002.txt
Vendor: Google (http://www.google.com/)
Affected Products: Google Wave Preview (Date: =< 14.01.2010)
Not Affected Component: Google Wave Preview (Date: >= 14.01.2010)
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: partially patched
Discovered by: Nikolas Sotiriu
Disclosure Policy: http://sotiriu.de/policy.html
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
===========
Google Wave is an online tool for real-time communication and
collaboration. A wave can be both a conversation and a document where
people can discuss and work together using richly formatted text,
photos, videos, maps, and more.
(Product description from Google Website)
Description:
============
All this possible attacks are the result of playing 4 hours with Google
Wave. I didn't check all the funny stuff, which is possible with the Wave.
1. Gadget phishing attack:
--------------------------
The Google Wave Gadget API can be used for phishing attacks.
An attacker can build his own phishing Gadget, share it with his Google
Wave contacts an hopefully get the login credentials from a user.
This behavior is normal. The Problem is, that this "bug" makes it easier
to steal logins.
2. Virus spreading attack:
--------------------------
Uploads Files are not scanned for malicious code.
An attacker could upload his malware to a wave and share it to his
Google Wave contacts.
Proof of Concept :
==================
A proof of concept gadget can be found here:
http://sotiriu.de/demos/phgadget.xml
Solution:
=========
1. No changes made here.
Workaround: Don't trust Waves.
2. Google builds in AV scanning.
Disclosure Timeline (YYYY/MM/DD):
=================================
2009.11.16: Vulnerability found
2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2009.12.03) to Vendor
2009.11.23: Vendor response
2009.12.01: Ask for a status update, because the planned release date is
2009.12.03.
2009.12.03: Google Security Team asks for 2 more week to patch.
2009.12.03: Changed release date to 2009.12.17.
2009.12.15: Ask for a status update, because the planned release date is
2009.12.17. => No Response
2009.12.21: Ask for a status update.
2009.12.29: Google Security Team informs me, that there are no changes
made before 2010.01.03.
2010.01.14: Google Security Team informs me, that uploaded files will be
now scanned for malware. Google Gadgets will be not updated.
2010.01.19: Release of this Advisory
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists