Swede publishes email logins of 100 embassies

The Swedish security expert, Dan Egerstad has found and published usernames and passwords to email accounts of 100 embassies across the world.

Computer Sweden has interviewed him and he lets us know how he found the information when he was doing a security lab recently.

Since then he has pondered over what to do with it. Contacting all the ambassies would have been a time consuming task and perhaps met with the wrong attitude. If he would have given it to SÄPO (National Security Service (of Sweden) it would have been considered a act of espionage. So he made the brave decision and published the information on his blog, Deranged Security.

Still there are no information about which systems the hacked email acounts was running on, but it would be interesting to find out. I guess it's only a matter of time before we we learn more about this.

Hopefully this will shed some light on the issues with insufficient security of email accounts, and push the development towards safer system forward.

By Jesper Lind

Friendly XSS-worm fixes your Wordpress installation

Got a message from the security expert beni which says that he has found 7 security issues with the blog platform Wordpress (latest version 2.2.1).

He has now created a friendly XSS-worm which uses this vulnerabilities to patch your system. More instructions how to do this in his blog-post.

Now that the flaws are known to the public there are a big risk of XSS-attacks happening. So you now got two options, wait for the official Wordpress-fix, or apply beni's fix to have an immidiate protection.

If you apply the patch from this recommendation, I am not responsible for any side affects this might have. But I trust beni, so I think you can go on with the patching. Just make sure you do a proper backup before you start.

More info

http://www.gnucitizen.org/blog/friendly-ajax-xss-worm-for-wordpress

Update: Wordpress has now released a security fix. Benjamin Flesch (beNi) is impressed it only took 6 days but, but not so happy they didn't mention him at first. They have now however put a thank you message in their blog post. Mission complete.

By Jesper Lind

Disclosure of Gmail security problems

http://www.codeodyssey.se/upload/resource/blog/gmail-disclosure.png

This year in February a XSS-problem on Googles login page was found by the security expert beNi. See a screendump of how this "secure" SSL-page could be corrupted, before the development team closed it down.

Google did respond to beNi and thanked him for the discovery, but he was a bit disappointed that they did not show more gratitude than what they did. I understand him. A company the size of Google should be able to show grater gratitude towards nice hackers that help them to protect their applications.

Since beNi wasn't so happy he's now saying that in the future he will not warn them before he reveals similar exploits.

So the other day he shows us proof of concept on how a criminal can get access to all contacts in Gmail and also the Google Authentication Token. These can be found on a page that generates a XML-documant. Really scary acctually. If you are online with your Gmail account you can see it for yourself by visiting the following address.

http://groups.google.com/groups/profile/contacts?max=500

beNi continues to show how this infomation can be used in an attack. For this he needed a XSS-flaw on Google and he found one rather quickly. Read his blog-post for more information and images. I have also saved a screendump of the last step in the exploit which you can see above.

So from now on we know that Gmail-information isn't really safely kept. The only thing a criminal nedd is a XSS-flaw on Google and there seems to be quite a few. I recommend you to be careful when you see links going to Google and if you're a Gmail user. If there are any doubt on the source of the link your shouldn't click it.

Personally I don't use Gmail and only have one contact there. But the fact that the Google Authentication Token can be accessed so easily makes me really nervous. I don't want anybody to take over my Google-login and start playing around with my Adsense-accounts and the other services I use.

Also read hac.kers.org who makes a comment about the disclosure.

By Jesper Lind

Security issues with Swedish news sites

http://www.codeodyssey.se/upload/resource/blog/DN-achtung.png

Some time ago I wrote about a German site that provides a list of web sites vulnerable to XSS-attacks. The owner of the site found the link and asked me to translate it into English so he could understand.

During our discussion I told him that it would be interesting to see how secure Swedish web sites are. The security expert who calles himself "beNi" asked my to make a list of some well known sites. I choosed some that were in my current memory and has been in focus lately.

News sites:

Aftonbladet.se
DN.se
SvD.se

Blog portals:

Bloggportalen.se
Twingly.se
Knuff.se

A great disappointment

I got reply from beNi and he tells me he has done some research. He only investigated DN, SvD and Twingly. The other three sites on the list loaded to slowly for him to works with (even though he has an 6MBit-connection).

He found a whole bunch of insecure pages within a few minutes. Both DN and SvD contains some holes as you can read on his blog. There are also five examples of urls showing how this issues can be abused.

Examples of XSS-vulnerabilities

This is the examples. I have also uploaded some screenshots of how the pages looks when you visit them at the moment. These links are not dangerous to visit. But if you see something similar anywhere else I would strongly suggest not to try them.

Security problem 1 - DN.se (issue secured) (sceendump)

Security problem 2 - DN.se (issue secured) (sceendump)

Security problem 3 - Koll.se (issue secured) (sceendump)

Security problem 4 - SvD.se (issue secured) (sceendump)

Security problem 5 - SvD.se (issue secured) (sceendump)

Twingly was safe from sequrity issues. The site uses ASP.NET which has a lot of build in protection. Microsoft has realised the importance of protecting against XSS and has also released special API's for protection. I will write about these at a later time.

DN that uses Java and SvD that are running on classic ASP was not so succesful in the test.

Developers must wake up

Is is quite embarrasing to see that news sites of this size doen't has complete control of their web app sequrity. Web masters must wake up and realise. You are not only risking the sequrity of your own sites. The main thing about cross-site-scripting is that it can be used to target other sites than the domain they are found on.

Update: There has been some responses to the Swedish version of this post where I have documented the developments more in depth. In short the following has happended.

Two of the links above were indexed by Twingly which is a ping service connected to the news sites. That meant that this post were linked to from both of the news sites in connection to some articles, and received quite a lot of visitors.

I would like to thank Martin working on Twingly for pointing out that the urls were normalized before they entered there system. If these links should have been indexed at all by the blog portal is still questionable.

I also temporarily removed the links since I felt a bit guilty of publishing them without giving the site owners a warning first. I did email both of the news sites rather quickly after I wrote the blog-post. SvD replied and thanked me for letting them know. They have now secured the issues and I congratulate them for their swift action.

The issues on DN.se still remains unfixed and I have not heard anything from them. I will give them some time to fix the problems before I publish the links on my site again.

I want to keep these XXS-links on my site as a reference to other developers. The might be useful for web masters to realise what kind of threat they are up against. The other reason I would like to keep the links on my site is because I would like to study how the search engines will respond to them. Will they for example be indexed by Google? Will they still work in the cached versions? It will be interesting to find out.

Update 2: We are happy to notice that DN also has fixed their security problems. Both sites managed to shut down their XSS-flaws in only 1-2 days which is really good.

By Jesper Lind

List of web sites vulnerable to XSS

Some time ago there was some proof of that Google had indexed an XSS-link pointing to the web site of FBI. (screendump).

Just as expected the threats of cross-site-scripting is now growing and ha.ckers.org writes about a german site which provides a top-list of web sites vulnerable to XSS-attacks.

As I understand it the list is quite useful for "black-hat"-optimizers which can use the vulnerabilities to inject their own code in the url:s, and in this way include their own portions of links and key words. To spam the SERPS in other words. Next to each site in the list there are PR-values so that they easily can choose which target might be rewarding.

The list is mostly featuring german adresses but there is also a danish web shop included. No Swedish adresses this far. That the well known sequrity company Verisign is on top of the list is rather alarming. The XSS-vector of this site I have not been able to try out since you have to contact the owners of the site for access.

But many of the security holes do work and the developers of the site provides examples with messages about their services – they offer advice on how to solve the issues.

Since XSS-code is normal Javascript it is very hard to distinguish evil code from the ordinary. Every piece of script can be written with a great number of variation with for example the use of hexdecimal characters.

As long as the search engines continue to index these highjacked urls the problems will continue. There are not many site owners that are aware of these new type of attacks. The risk of being shut out of the search engines result is big if you got an vulnerability of this sort. A bad guy can start using them to distribute their own content that seems like it's coming from your domain.

By Jesper Lind

A class that generates passwords

This is an example of a class that generates passwords. I have used it for so long that i forgot where I found it originally. If you recognize the code, please let me know the origin and I will add a reference.
using System; using System.Data; using System.Configuration; using System.Web; using System.Text; using System.Web.Security; using System.Web.UI; using System.Web.UI.WebControls; using System.Web.UI.WebControls.WebParts; using System.Web.UI.HtmlControls; /// /// Summary description for PasswordGenerator /// public class PasswordGenerator : Page { private char[] characterArray; private Int32 passwordLength = 10; Random randNum = new Random(); public PasswordGenerator() { characterArray = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".ToCharArray(); } private char GetRandomCharacter() { return this.characterArray[(int)((this.characterArray.GetUpperBound(0) + 1) * randNum.NextDouble())]; } public string Generate() { StringBuilder sb = new StringBuilder(); sb.Capacity = passwordLength; for (int count = 0; count <= passwordLength - 1; count++) { sb.Append(GetRandomCharacter()); } if ((sb != null)) { return sb.ToString(); } return string.Empty; } }
By Jesper Lind
1