| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 Jan 2010 19:15:56 -0500 (EST) From: bugtraq@...security.net To: quanticle@...il.com (Rohit Patnaik) Cc: full-disclosure@...ts.grok.org.uk, Valdis.Kletnieks@...edu Subject: Re: NSOADV-2010-002: Google Wave Design Bugs > Well, that's exactly what I'm saying. Pretending that this is some kind new > exploit class simply because Google Wave is used is stupid. This is the > logical extension of e-mail and instant message and social network attacks > to the next potential platform. Following in the history of the security community, we should coin a buzzword on this old issue with a new spin. WaveJacking sounds like a perfect fit. </sarcasm> > On Tue, Jan 19, 2010 at 8:10 PM, <Valdis.Kletnieks@...edu> wrote: > > > On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said: > > > Yeah, no kidding. Surprise! Untrusted files can be malicious. If you > > > accept files from those whom you do not trust, whether its via e-mail, > > > instant message, Google Wave, or physical media, you well and truly > > deserve > > > the virus that'll eventually infect your machine. > > > > Let's see.. *HOW* many years ago did we first see e-mail based viruses that > > depended on people opening them because they came from people they already > > knew? 'CHRISTMA EXEC' in 1984 comes to mind. > > > > The problem here is that Google Wave is for *collaboration* - which means > > that you're communicating with people you already know, and presumably > > trust to some degree or other. "Hey Joe, look at this PDF and tell me > > what you think" is something reasonable when the request comes from > > somebody > > who Joe knows and who has sent Joe PDF's in the past. > > > > I guarantee that if every time you receive a document that appears to be > > from > > your boss, you call back and ask if they really intended to send a document > > or > > if it's a virus, your boss will get very cranky with you very fast. > > > > Let's look at that original advisory again: > > > > >> An attacker could upload his malware to a wave and share it to his > > >> Google Wave contacts. > > > > Now change that to "An attacker could trick/pwn some poor victim into > > uploading > > the malware to a wave...." Hilarity ensues. > > > > > > > > > > --000e0cd2e002580025047da0b22e > Content-Type: text/html; charset=ISO-8859-1 > Content-Transfer-Encoding: quoted-printable > > Well, that's exactly what I'm saying.=A0 Pretending that this is so= > me kind new exploit class simply because Google Wave is used is stupid.=A0 = > This is the logical extension of e-mail and instant message and social netw= > ork attacks to the next potential platform.<br> > <br>-- Rohit Patnaik<br><br><div class=3D"gmail_quote">On Tue, Jan 19, 2010= > at 8:10 PM, <span dir=3D"ltr"><<a href=3D"mailto:Valdis.Kletnieks@...e= > du">Valdis.Kletnieks@...edu</a>></span> wrote:<br><blockquote class=3D"g= > mail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt= > 0pt 0pt 0.8ex; padding-left: 1ex;"> > <div class=3D"im">On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:<br> > > Yeah, no kidding. =A0Surprise! Untrusted files can be malicious. =A0If= > you<br> > > accept files from those whom you do not trust, whether its via e-mail,= > <br> > > instant message, Google Wave, or physical media, you well and truly de= > serve<br> > > the virus that'll eventually infect your machine.<br> > <br> > </div>Let's see.. *HOW* many years ago did we first see e-mail based vi= > ruses that<br> > depended on people opening them because they came from people they already<= > br> > knew? =A0'CHRISTMA EXEC' in 1984 comes to mind.<br> > <br> > The problem here is that Google Wave is for *collaboration* - which means<b= > r> > that you're communicating with people you already know, and presumably<= > br> > trust to some degree or other. "Hey Joe, look at this PDF and tell me<= > br> > what you think" is something reasonable when the request comes from so= > mebody<br> > who Joe knows and who has sent Joe PDF's in the past.<br> > <br> > I guarantee that if every time you receive a document that appears to be fr= > om<br> > your boss, you call back and ask if they really intended to send a document= > or<br> > if it's a virus, your boss will get very cranky with you very fast.<br> > <br> > Let's look at that original advisory again:<br> > <div class=3D"im"><br> > >> An attacker could upload his malware to a wave and share it to his= > <br> > >> Google Wave contacts.<br> > <br> > </div>Now change that to "An attacker could trick/pwn some poor victim= > into uploading<br> > the malware to a wave...." =A0Hilarity ensues.<br> > <br> > <br> > <br> > </blockquote></div><br> > > --000e0cd2e002580025047da0b22e-- > > > --===============1022691582== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > --===============1022691582==-- > > http://www.cgisecurity.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists