full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] NSOADV-2010-002: Googl

Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs

From: Rohit Patnaik <quanticle_at_nospam>
Date: Wed Jan 20 2010 - 23:10:47 GMT
To: Valdis.Kletnieks@vt.edu

Well, that's exactly what I'm saying. Pretending that this is some kind new exploit class simply because Google Wave is used is stupid. This is the logical extension of e-mail and instant message and social network attacks to the next potential platform.

  • Rohit Patnaik

On Tue, Jan 19, 2010 at 8:10 PM, <Valdis.Kletnieks@vt.edu> wrote:

> On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:
> > Yeah, no kidding. Surprise! Untrusted files can be malicious. If you
> > accept files from those whom you do not trust, whether its via e-mail,
> > instant message, Google Wave, or physical media, you well and truly
> deserve
> > the virus that'll eventually infect your machine.
> Let's see.. *HOW* many years ago did we first see e-mail based viruses that
> depended on people opening them because they came from people they already
> knew? 'CHRISTMA EXEC' in 1984 comes to mind.
> The problem here is that Google Wave is for *collaboration* - which means
> that you're communicating with people you already know, and presumably
> trust to some degree or other. "Hey Joe, look at this PDF and tell me
> what you think" is something reasonable when the request comes from
> somebody
> who Joe knows and who has sent Joe PDF's in the past.
> I guarantee that if every time you receive a document that appears to be
> from
> your boss, you call back and ask if they really intended to send a document
> or
> if it's a virus, your boss will get very cranky with you very fast.
> Let's look at that original advisory again:
> >> An attacker could upload his malware to a wave and share it to his
> >> Google Wave contacts.
> Now change that to "An attacker could trick/pwn some poor victim into
> uploading
> the malware to a wave...." Hilarity ensues.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/