Re: [Full-disclosure] Gmail 0day
- From: "Adrian P" <unknown.pentester@xxxxxxxxx>
- Date: Sat, 10 Nov 2007 00:30:34 +0000
Hello Juergen,
With all my respect, is it that hard to see that gaining access to a
Gmail session can lead to your identity being stolen?
Nowadays your webmail account means your online life/presence. Let's
have a walk through attack shall we?
1. Your Gmail session is hijacked (i.e.: via the XSS PoC posted on FD)
2. Attacker searches for "password" in 'Inbox'/'Sent Mail'.
- How many times have you clicked on "Forgot password" on MULTIPLE
online accounts and the password (whether a new pass or the original
one) emailed to you has not been changed from the time you got the
"forgotten password" email?
- How many users have emailed passwords to themselves so that they
don't forget?
- How many users use the same password on MULTIPLE online accounts
(including merchant/e-commerce accounts)?
- How many users have clicked on "remember credit card details" so
that they don't have to re-enter their CC data every time they perform
an online transaction?
- Did you forget to disable your Gtalk chat history (Gtalk is still
within the google.com domain)
- Have you saved anything personal on other services such as Google
docs/calendar/notebook? (or any other google.com service that doesn't
require you to re-login once authenticated)
3. For most victims, this leads to a compromise of his/her online identity.
If you fail to see the problem, then please think before you complain
about "damn, right now 0day are fucking XSS ...".
Posting a XSS PoC that opens an alert box doesn't have much merit
perhaps. However, this is the equivalent of saying: "hey, I can cause
a BO condition. If you send X parameter with 500 bytes/chars or more,
then EIP is overwritten and the attacked service crashes". Now compare
that to actually compromising the server via the buffer overflow
vulnerability. That's a DIFFERENT STORY.
Same thing goes for any XSS. Now say, screw a cookie theft exploit for
the Gmail XSS! (pardon my French). Make something more clever!
Perhaps, you want a payload that scrapes all the victim's emails which
contain keywords such as 'password', 'private', 'admin', and so on.
Then, all the captured data is submitted to the attacker's site in the
background (nothing suspicious is visually happening from the victim's
point of view).
Sure Gmail has CSRF protection, but that can be bypassed via XSS.
After all, anti-CSRF tokens can be grabbed if URLs can be accessed
within the security context of the target domain (which is possible
via XSS).
If you consider all the aforementioned thoughts plus the fact that
Gmail is one of the most popular webmail services, then you should be
able to understand the power of a XSS vul on google.com !
Regards,
AP.
On Nov 8, 2007 8:55 PM, Juergen Marester <marester.juergen@xxxxxxxxx> wrote:
wow ! 0day !
damn, right now 0day are fucking XSS ...
On 11/8/07, silky <michaelslists@xxxxxxxxx> wrote:
worked for me minutes after it was posted. seems fixed now.other
On 11/9/07, crazy frog crazy frog < i.m.crazy.frog@xxxxxxxxx> wrote:
i tested it on gmail latest version,itsnot working for me?
On Nov 8, 2007 7:04 AM, Scripter Hack <xss2root@xxxxxxxxx > wrote:
There is a html injection vulnerability in https://www.google.com.
It is very critical,you can get the cookie to login into gmail ore
https://www.google.com/accounts/ServiceLogin?service=mail&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl<mpl=default<mplcache=2&passive=truel#";></script><script>alert('xss')</script>&1-=1service.
POC:
More:http://xss2root.blogspot.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
mike
http://lets.coozi.com.au/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
pagvac
gnucitizen.org, ikwt.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- References:
- [Full-disclosure] Gmail 0day
- From: Scripter Hack
- Re: [Full-disclosure] Gmail 0day
- From: crazy frog crazy frog
- Re: [Full-disclosure] Gmail 0day
- From: silky
- Re: [Full-disclosure] Gmail 0day
- From: Juergen Marester
- [Full-disclosure] Gmail 0day
- Prev by Date: [Full-disclosure] iDefense Security Advisory 11.09.07: IBM Informix Dynamic Server DBLANG Directory Traversal Vulnerability
- Next by Date: [Full-disclosure] [SECURITY] [DSA 1405-1] New zope-cmfplone packages fix arbitrary code execution
- Previous by thread: Re: [Full-disclosure] Gmail 0day
- Next by thread: Re: [Full-disclosure] Gmail 0day
- Index(es):
