[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3af3d47c1001200834xa8149d4oaffcd3195d4bae30@mail.gmail.com>
Date: Wed, 20 Jan 2010 17:34:11 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: omg wtf <hexmasta@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu
Subject: Re: NSOADV-2010-002: Google Wave Design Bugs
That's what I said about human error, scanning is no solution unless a clear
UI is used which makes social engineering practically impossible.
On Wed, Jan 20, 2010 at 5:29 PM, omg wtf <hexmasta@...il.com> wrote:
> Lol.
>
> Everyone keeps forgetting the social engineering aspects of utilizing
> exploits. Especially if someone is using AntiVirus 2011 and has a google
> wave account.
>
> On Tue, Jan 19, 2010 at 8:10 PM, <Valdis.Kletnieks@...edu> wrote:
>
>> On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:
>> > Yeah, no kidding. Surprise! Untrusted files can be malicious. If you
>> > accept files from those whom you do not trust, whether its via e-mail,
>> > instant message, Google Wave, or physical media, you well and truly
>> deserve
>> > the virus that'll eventually infect your machine.
>>
>> Let's see.. *HOW* many years ago did we first see e-mail based viruses
>> that
>> depended on people opening them because they came from people they already
>> knew? 'CHRISTMA EXEC' in 1984 comes to mind.
>>
>> The problem here is that Google Wave is for *collaboration* - which means
>> that you're communicating with people you already know, and presumably
>> trust to some degree or other. "Hey Joe, look at this PDF and tell me
>> what you think" is something reasonable when the request comes from
>> somebody
>> who Joe knows and who has sent Joe PDF's in the past.
>>
>> I guarantee that if every time you receive a document that appears to be
>> from
>> your boss, you call back and ask if they really intended to send a
>> document or
>> if it's a virus, your boss will get very cranky with you very fast.
>>
>> Let's look at that original advisory again:
>>
>> >> An attacker could upload his malware to a wave and share it to his
>> >> Google Wave contacts.
>>
>> Now change that to "An attacker could trick/pwn some poor victim into
>> uploading
>> the malware to a wave...." Hilarity ensues.
>>
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists