full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] NSOADV-2010-002: Googl

Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs

From: Rohit Patnaik <quanticle_at_nospam>
Date: Wed Jan 20 2010 - 01:01:36 GMT
To: dramacrat <yirimyah@gmail.com>


Yeah, no kidding. Surprise! Untrusted files can be malicious. If you accept files from those whom you do not trust, whether its via e-mail, instant message, Google Wave, or physical media, you well and truly deserve the virus that'll eventually infect your machine.

  • Rohit Patnaik

On Tue, Jan 19, 2010 at 7:11 AM, dramacrat <yirimyah@gmail.com> wrote:

> This is the stupidest advisory I have read on this list in at least two
> months.
>
> 2010/1/19 NSO Research <nso-research@sotiriu.de>
>
> _________________________________________
>> Security Advisory NSOADV-2010-002
>> _________________________________________
>> _________________________________________
>>
>>
>> Title: Google Wave Design Bugs
>> Severity: Low
>> Advisory ID: NSOADV-2010-002
>> Found Date: 16.11.2009
>> Date Reported: 18.11.2009
>> Release Date: 19.01.2010
>> Author: Nikolas Sotiriu (lofi)
>> Mail: nso-research at sotiriu.de
>> URL: http://sotiriu.de/adv/NSOADV-2010-002.txt
>> Vendor: Google (http://www.google.com/)
>> Affected Products: Google Wave Preview (Date: =< 14.01.2010)
>> Not Affected Component: Google Wave Preview (Date: >= 14.01.2010)
>> Remote Exploitable: Yes
>> Local Exploitable: No
>> Patch Status: partially patched
>> Discovered by: Nikolas Sotiriu
>> Disclosure Policy: http://sotiriu.de/policy.html
>> Thanks to: Thierry Zoller: For the permission to use his
>> Policy
>>
>>
>>
>> Background:
>> ===========
>>
>> Google Wave is an online tool for real-time communication and
>> collaboration. A wave can be both a conversation and a document where
>> people can discuss and work together using richly formatted text,
>> photos, videos, maps, and more.
>>
>> (Product description from Google Website)
>>
>>
>>
>> Description:
>> ============
>>
>> All this possible attacks are the result of playing 4 hours with Google
>> Wave. I didn't check all the funny stuff, which is possible with the Wave.
>>
>>
>>
>> 1. Gadget phishing attack:
>> --------------------------
>>
>> The Google Wave Gadget API can be used for phishing attacks.
>>
>> An attacker can build his own phishing Gadget, share it with his Google
>> Wave contacts an hopefully get the login credentials from a user.
>>
>> This behavior is normal. The Problem is, that this "bug" makes it easier
>> to steal logins.
>>
>>
>> 2. Virus spreading attack:
>> --------------------------
>>
>> Uploads Files are not scanned for malicious code.
>>
>> An attacker could upload his malware to a wave and share it to his
>> Google Wave contacts.
>>
>>
>>
>> Proof of Concept :
>> ==================
>>
>> A proof of concept gadget can be found here:
>> http://sotiriu.de/demos/phgadget.xml
>>
>>
>>
>> Solution:
>> =========
>>
>> 1. No changes made here.
>> Workaround: Don't trust Waves.
>>
>> 2. Google builds in AV scanning.
>>
>>
>>
>> Disclosure Timeline (YYYY/MM/DD):
>> =================================
>>
>> 2009.11.16: Vulnerability found
>> 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure
>> date (2009.12.03) to Vendor
>> 2009.11.23: Vendor response
>> 2009.12.01: Ask for a status update, because the planned release date is
>> 2009.12.03.
>> 2009.12.03: Google Security Team asks for 2 more week to patch.
>> 2009.12.03: Changed release date to 2009.12.17.
>> 2009.12.15: Ask for a status update, because the planned release date is
>> 2009.12.17. => No Response
>> 2009.12.21: Ask for a status update.
>> 2009.12.29: Google Security Team informs me, that there are no changes
>> made before 2010.01.03.
>> 2010.01.14: Google Security Team informs me, that uploaded files will be
>> now scanned for malware. Google Gadgets will be not updated.
>> 2010.01.19: Release of this Advisory
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/