Disclosure of Gmail security problems

http://www.codeodyssey.se/upload/resource/blog/gmail-disclosure.png

This year in February a XSS-problem on Googles login page was found by the security expert beNi. See a screendump of how this "secure" SSL-page could be corrupted, before the development team closed it down.

Google did respond to beNi and thanked him for the discovery, but he was a bit disappointed that they did not show more gratitude than what they did. I understand him. A company the size of Google should be able to show grater gratitude towards nice hackers that help them to protect their applications.

Since beNi wasn't so happy he's now saying that in the future he will not warn them before he reveals similar exploits.

So the other day he shows us proof of concept on how a criminal can get access to all contacts in Gmail and also the Google Authentication Token. These can be found on a page that generates a XML-documant. Really scary acctually. If you are online with your Gmail account you can see it for yourself by visiting the following address.

http://groups.google.com/groups/profile/contacts?max=500

beNi continues to show how this infomation can be used in an attack. For this he needed a XSS-flaw on Google and he found one rather quickly. Read his blog-post for more information and images. I have also saved a screendump of the last step in the exploit which you can see above.

So from now on we know that Gmail-information isn't really safely kept. The only thing a criminal nedd is a XSS-flaw on Google and there seems to be quite a few. I recommend you to be careful when you see links going to Google and if you're a Gmail user. If there are any doubt on the source of the link your shouldn't click it.

Personally I don't use Gmail and only have one contact there. But the fact that the Google Authentication Token can be accessed so easily makes me really nervous. I don't want anybody to take over my Google-login and start playing around with my Adsense-accounts and the other services I use.

Also read hac.kers.org who makes a comment about the disclosure.

By Jesper Lind

List of web sites vulnerable to XSS

Some time ago there was some proof of that Google had indexed an XSS-link pointing to the web site of FBI. (screendump).

Just as expected the threats of cross-site-scripting is now growing and ha.ckers.org writes about a german site which provides a top-list of web sites vulnerable to XSS-attacks.

As I understand it the list is quite useful for "black-hat"-optimizers which can use the vulnerabilities to inject their own code in the url:s, and in this way include their own portions of links and key words. To spam the SERPS in other words. Next to each site in the list there are PR-values so that they easily can choose which target might be rewarding.

The list is mostly featuring german adresses but there is also a danish web shop included. No Swedish adresses this far. That the well known sequrity company Verisign is on top of the list is rather alarming. The XSS-vector of this site I have not been able to try out since you have to contact the owners of the site for access.

But many of the security holes do work and the developers of the site provides examples with messages about their services – they offer advice on how to solve the issues.

Since XSS-code is normal Javascript it is very hard to distinguish evil code from the ordinary. Every piece of script can be written with a great number of variation with for example the use of hexdecimal characters.

As long as the search engines continue to index these highjacked urls the problems will continue. There are not many site owners that are aware of these new type of attacks. The risk of being shut out of the search engines result is big if you got an vulnerability of this sort. A bad guy can start using them to distribute their own content that seems like it's coming from your domain.

By Jesper Lind
1