lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7575a821001200829k5d3ffe45lf05417b0a4606af2@mail.gmail.com>
Date: Wed, 20 Jan 2010 10:29:21 -0600
From: omg wtf <hexmasta@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: NSOADV-2010-002: Google Wave Design Bugs

Lol.

Everyone keeps forgetting the social engineering aspects of utilizing
exploits. Especially if someone is using AntiVirus 2011 and has a google
wave account.

On Tue, Jan 19, 2010 at 8:10 PM, <Valdis.Kletnieks@...edu> wrote:

> On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:
> > Yeah, no kidding.  Surprise! Untrusted files can be malicious.  If you
> > accept files from those whom you do not trust, whether its via e-mail,
> > instant message, Google Wave, or physical media, you well and truly
> deserve
> > the virus that'll eventually infect your machine.
>
> Let's see.. *HOW* many years ago did we first see e-mail based viruses that
> depended on people opening them because they came from people they already
> knew?  'CHRISTMA EXEC' in 1984 comes to mind.
>
> The problem here is that Google Wave is for *collaboration* - which means
> that you're communicating with people you already know, and presumably
> trust to some degree or other. "Hey Joe, look at this PDF and tell me
> what you think" is something reasonable when the request comes from
> somebody
> who Joe knows and who has sent Joe PDF's in the past.
>
> I guarantee that if every time you receive a document that appears to be
> from
> your boss, you call back and ask if they really intended to send a document
> or
> if it's a virus, your boss will get very cranky with you very fast.
>
> Let's look at that original advisory again:
>
> >> An attacker could upload his malware to a wave and share it to his
> >> Google Wave contacts.
>
> Now change that to "An attacker could trick/pwn some poor victim into
> uploading
> the malware to a wave...."  Hilarity ensues.
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ