Re: [Full-disclosure] Hacking WolframAlpha



This is rather low-hanging fruit. But I suppose someone has to disclose
the low hanging fruit.

Aside from abusing WolframAlpha's API, I'm not sure I see that this is that
huge an accomplishment. I do find it somewhat silly that unobfuscated
appid's are passed to the API over an unsecured connection, but meh. My
access to the API getting cut would be an annoyance, and I would certainly
be non-plussed about that if I were one of the poor souls who paid for a
bigger better faster stronger query plan, but still, meh. Maybe I'm
missing out on the gravity of this by not using the WolframAlpha API.

Of course, I'm assuming the real point here *is* that the appid is passed
unobfuscated and unsecured, and *not* that I can go trawling for appid's on
Google. The former is somewhat interesting to the niche of WolframAlpha
API users. The latter is rather old news under the heading "I can find a
disturbing amount of private information using a properly formatted Google
query". Patching that vulnerability will only be accomplished
through reeducation and strategic employment modifications.

On Tue, Apr 24, 2012 at 2:50 PM, Adam Behnke <adam@xxxxxxxxxxxxxxxxxxxx>wrote:

Sharing source code with peers is one thing; sharing secrets over a public
medium is another. The all-seeing eye of Google has no mercy, and once the
secret has been seen, indexed, and copied to clone sites, it is no longer a
secret. Now combine the search power of Google with the computational power
of WolframAlpha and the results are limitless! It's raining data from these
saturated clouds, and you just need to hold out your hands for a taste:
http://resources.infosecinstitute.com/hacking-wolframalpha/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
    ... Now if Google doesn't want to fix patch that, ... Youtube DATA API is unique.. ... you hypothesize that you are getting a response from the ... Can you upload a ZIP file for example and then get that same ZIP file ...
    (Full-Disclosure)
  • Re: interessantes Konzept - nicht neu, aber gut:
    ... Die letzten Meldungen die Google ausspuckt stammen irgendwo aus 2010. ... Das Projekt hat sein wesentliches Ergebnis, ein API und zwei ... Modellimplementationen, abgeliefert. ... Kameras in dieser Weise für computational photography zu öffnen. ...
    (de.rec.fotografie)
  • Re: [Full-disclosure] Fwd: Google vulnerabilities with PoC
    ... Now if Google doesn't want to fix patch that, ... Youtube DATA API is unique.. ... you hypothesize that you are getting a response from the ... Youtube whereby it appears than you can upload an arbitrary file. ...
    (Full-Disclosure)
  • Commercial use of Google API
    ... I am slowly learning about this Google API thing; ... "Unauthorized" SEO software that violates Google's Terms & ... SEO software the *does* use the Google API - but as an SEO selling ...
    (alt.internet.search-engines)
  • Re: Spidering Hacks
    ... The same place you'd look to use their API from Ruby, Python, etc. ... My point was that the question in *this* thread has nothing to do with Perl. ... Ruby, Python, C, Java, or any other programmers all obtain their Google keys ...
    (comp.lang.perl.misc)