[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100121001556.75012.qmail@cgisecurity.net>
Date: Wed, 20 Jan 2010 19:15:56 -0500 (EST)
From: bugtraq@...security.net
To: quanticle@...il.com (Rohit Patnaik)
Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu
Subject: Re: NSOADV-2010-002: Google Wave Design Bugs
> Well, that's exactly what I'm saying. Pretending that this is some kind new
> exploit class simply because Google Wave is used is stupid. This is the
> logical extension of e-mail and instant message and social network attacks
> to the next potential platform.
Following in the history of the security community, we should coin a buzzword on this old issue with a new spin.
WaveJacking sounds like a perfect fit.
</sarcasm>
> On Tue, Jan 19, 2010 at 8:10 PM, <Valdis.Kletnieks@...edu> wrote:
>
> > On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:
> > > Yeah, no kidding. Surprise! Untrusted files can be malicious. If you
> > > accept files from those whom you do not trust, whether its via e-mail,
> > > instant message, Google Wave, or physical media, you well and truly
> > deserve
> > > the virus that'll eventually infect your machine.
> >
> > Let's see.. *HOW* many years ago did we first see e-mail based viruses that
> > depended on people opening them because they came from people they already
> > knew? 'CHRISTMA EXEC' in 1984 comes to mind.
> >
> > The problem here is that Google Wave is for *collaboration* - which means
> > that you're communicating with people you already know, and presumably
> > trust to some degree or other. "Hey Joe, look at this PDF and tell me
> > what you think" is something reasonable when the request comes from
> > somebody
> > who Joe knows and who has sent Joe PDF's in the past.
> >
> > I guarantee that if every time you receive a document that appears to be
> > from
> > your boss, you call back and ask if they really intended to send a document
> > or
> > if it's a virus, your boss will get very cranky with you very fast.
> >
> > Let's look at that original advisory again:
> >
> > >> An attacker could upload his malware to a wave and share it to his
> > >> Google Wave contacts.
> >
> > Now change that to "An attacker could trick/pwn some poor victim into
> > uploading
> > the malware to a wave...." Hilarity ensues.
> >
> >
> >
> >
>
> --000e0cd2e002580025047da0b22e
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> Well, that's exactly what I'm saying.=A0 Pretending that this is so=
> me kind new exploit class simply because Google Wave is used is stupid.=A0 =
> This is the logical extension of e-mail and instant message and social netw=
> ork attacks to the next potential platform.<br>
> <br>-- Rohit Patnaik<br><br><div class=3D"gmail_quote">On Tue, Jan 19, 2010=
> at 8:10 PM, <span dir=3D"ltr"><<a href=3D"mailto:Valdis.Kletnieks@...e=
> du">Valdis.Kletnieks@...edu</a>></span> wrote:<br><blockquote class=3D"g=
> mail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt=
> 0pt 0pt 0.8ex; padding-left: 1ex;">
> <div class=3D"im">On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:<br>
> > Yeah, no kidding. =A0Surprise! Untrusted files can be malicious. =A0If=
> you<br>
> > accept files from those whom you do not trust, whether its via e-mail,=
> <br>
> > instant message, Google Wave, or physical media, you well and truly de=
> serve<br>
> > the virus that'll eventually infect your machine.<br>
> <br>
> </div>Let's see.. *HOW* many years ago did we first see e-mail based vi=
> ruses that<br>
> depended on people opening them because they came from people they already<=
> br>
> knew? =A0'CHRISTMA EXEC' in 1984 comes to mind.<br>
> <br>
> The problem here is that Google Wave is for *collaboration* - which means<b=
> r>
> that you're communicating with people you already know, and presumably<=
> br>
> trust to some degree or other. "Hey Joe, look at this PDF and tell me<=
> br>
> what you think" is something reasonable when the request comes from so=
> mebody<br>
> who Joe knows and who has sent Joe PDF's in the past.<br>
> <br>
> I guarantee that if every time you receive a document that appears to be fr=
> om<br>
> your boss, you call back and ask if they really intended to send a document=
> or<br>
> if it's a virus, your boss will get very cranky with you very fast.<br>
> <br>
> Let's look at that original advisory again:<br>
> <div class=3D"im"><br>
> >> An attacker could upload his malware to a wave and share it to his=
> <br>
> >> Google Wave contacts.<br>
> <br>
> </div>Now change that to "An attacker could trick/pwn some poor victim=
> into uploading<br>
> the malware to a wave...." =A0Hilarity ensues.<br>
> <br>
> <br>
> <br>
> </blockquote></div><br>
>
> --000e0cd2e002580025047da0b22e--
>
>
> --===============1022691582==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> --===============1022691582==--
>
>
http://www.cgisecurity.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists