[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6a5e46471001191701t1d9df59cx5a79afdc3a76c34d@mail.gmail.com>
Date: Tue, 19 Jan 2010 19:01:36 -0600
From: Rohit Patnaik <quanticle@...il.com>
To: dramacrat <yirimyah@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: NSOADV-2010-002: Google Wave Design Bugs
Yeah, no kidding. Surprise! Untrusted files can be malicious. If you
accept files from those whom you do not trust, whether its via e-mail,
instant message, Google Wave, or physical media, you well and truly deserve
the virus that'll eventually infect your machine.
-- Rohit Patnaik
On Tue, Jan 19, 2010 at 7:11 AM, dramacrat <yirimyah@...il.com> wrote:
> This is the stupidest advisory I have read on this list in at least two
> months.
>
> 2010/1/19 NSO Research <nso-research@...iriu.de>
>
> _________________________________________
>> Security Advisory NSOADV-2010-002
>> _________________________________________
>> _________________________________________
>>
>>
>> Title: Google Wave Design Bugs
>> Severity: Low
>> Advisory ID: NSOADV-2010-002
>> Found Date: 16.11.2009
>> Date Reported: 18.11.2009
>> Release Date: 19.01.2010
>> Author: Nikolas Sotiriu (lofi)
>> Mail: nso-research at sotiriu.de
>> URL: http://sotiriu.de/adv/NSOADV-2010-002.txt
>> Vendor: Google (http://www.google.com/)
>> Affected Products: Google Wave Preview (Date: =< 14.01.2010)
>> Not Affected Component: Google Wave Preview (Date: >= 14.01.2010)
>> Remote Exploitable: Yes
>> Local Exploitable: No
>> Patch Status: partially patched
>> Discovered by: Nikolas Sotiriu
>> Disclosure Policy: http://sotiriu.de/policy.html
>> Thanks to: Thierry Zoller: For the permission to use his
>> Policy
>>
>>
>>
>> Background:
>> ===========
>>
>> Google Wave is an online tool for real-time communication and
>> collaboration. A wave can be both a conversation and a document where
>> people can discuss and work together using richly formatted text,
>> photos, videos, maps, and more.
>>
>> (Product description from Google Website)
>>
>>
>>
>> Description:
>> ============
>>
>> All this possible attacks are the result of playing 4 hours with Google
>> Wave. I didn't check all the funny stuff, which is possible with the Wave.
>>
>>
>>
>> 1. Gadget phishing attack:
>> --------------------------
>>
>> The Google Wave Gadget API can be used for phishing attacks.
>>
>> An attacker can build his own phishing Gadget, share it with his Google
>> Wave contacts an hopefully get the login credentials from a user.
>>
>> This behavior is normal. The Problem is, that this "bug" makes it easier
>> to steal logins.
>>
>>
>> 2. Virus spreading attack:
>> --------------------------
>>
>> Uploads Files are not scanned for malicious code.
>>
>> An attacker could upload his malware to a wave and share it to his
>> Google Wave contacts.
>>
>>
>>
>> Proof of Concept :
>> ==================
>>
>> A proof of concept gadget can be found here:
>> http://sotiriu.de/demos/phgadget.xml
>>
>>
>>
>> Solution:
>> =========
>>
>> 1. No changes made here.
>> Workaround: Don't trust Waves.
>>
>> 2. Google builds in AV scanning.
>>
>>
>>
>> Disclosure Timeline (YYYY/MM/DD):
>> =================================
>>
>> 2009.11.16: Vulnerability found
>> 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure
>> date (2009.12.03) to Vendor
>> 2009.11.23: Vendor response
>> 2009.12.01: Ask for a status update, because the planned release date is
>> 2009.12.03.
>> 2009.12.03: Google Security Team asks for 2 more week to patch.
>> 2009.12.03: Changed release date to 2009.12.17.
>> 2009.12.15: Ask for a status update, because the planned release date is
>> 2009.12.17. => No Response
>> 2009.12.21: Ask for a status update.
>> 2009.12.29: Google Security Team informs me, that there are no changes
>> made before 2010.01.03.
>> 2010.01.14: Google Security Team informs me, that uploaded files will be
>> now scanned for malware. Google Gadgets will be not updated.
>> 2010.01.19: Release of this Advisory
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists