full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] NSOADV-2010-002: Googl

Re: [Full-disclosure] NSOADV-2010-002: Google Wave Design Bugs

From: <bugtraq_at_nospam>
Date: Thu Jan 21 2010 - 00:15:56 GMT
To: quanticle@gmail.com (Rohit Patnaik)


> Well, that's exactly what I'm saying. Pretending that this is some kind new
> exploit class simply because Google Wave is used is stupid. This is the
> logical extension of e-mail and instant message and social network attacks
> to the next potential platform.

Following in the history of the security community, we should coin a buzzword on this old issue with a new spin. WaveJacking sounds like a perfect fit.
</sarcasm>

> On Tue, Jan 19, 2010 at 8:10 PM, <Valdis.Kletnieks@vt.edu> wrote:
>
> > On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:
> > > Yeah, no kidding. Surprise! Untrusted files can be malicious. If you
> > > accept files from those whom you do not trust, whether its via e-mail,
> > > instant message, Google Wave, or physical media, you well and truly
> > deserve
> > > the virus that'll eventually infect your machine.
> >
> > Let's see.. *HOW* many years ago did we first see e-mail based viruses that
> > depended on people opening them because they came from people they already
> > knew? 'CHRISTMA EXEC' in 1984 comes to mind.
> >
> > The problem here is that Google Wave is for *collaboration* - which means
> > that you're communicating with people you already know, and presumably
> > trust to some degree or other. "Hey Joe, look at this PDF and tell me
> > what you think" is something reasonable when the request comes from
> > somebody
> > who Joe knows and who has sent Joe PDF's in the past.
> >
> > I guarantee that if every time you receive a document that appears to be
> > from
> > your boss, you call back and ask if they really intended to send a document
> > or
> > if it's a virus, your boss will get very cranky with you very fast.
> >
> > Let's look at that original advisory again:
> >
> > >> An attacker could upload his malware to a wave and share it to his
> > >> Google Wave contacts.
> >
> > Now change that to "An attacker could trick/pwn some poor victim into
> > uploading
> > the malware to a wave...." Hilarity ensues.
> >
> >
> >
> >
>
> --000e0cd2e002580025047da0b22e
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> Well, that&#39;s exactly what I&#39;m saying.=A0 Pretending that this is so=
> me kind new exploit class simply because Google Wave is used is stupid.=A0 =
> This is the logical extension of e-mail and instant message and social netw=
> ork attacks to the next potential platform.<br>
> <br>-- Rohit Patnaik<br><br><div class=3D"gmail_quote">On Tue, Jan 19, 2010=
> at 8:10 PM, <span dir=3D"ltr">&lt;<a href=3D"mailto:Valdis.Kletnieks@vt.e=
> du">Valdis.Kletnieks@vt.edu</a>&gt;</span> wrote:<br><blockquote class=3D"g=
> mail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt=
> 0pt 0pt 0.8ex; padding-left: 1ex;">
> <div class=3D"im">On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:<br>
> &gt; Yeah, no kidding. =A0Surprise! Untrusted files can be malicious. =A0If=
> you<br>
> &gt; accept files from those whom you do not trust, whether its via e-mail,=
> <br>
> &gt; instant message, Google Wave, or physical media, you well and truly de=
> serve<br>
> &gt; the virus that&#39;ll eventually infect your machine.<br>
> <br>
> </div>Let&#39;s see.. *HOW* many years ago did we first see e-mail based vi=
> ruses that<br>
> depended on people opening them because they came from people they already<=
> br>
> knew? =A0&#39;CHRISTMA EXEC&#39; in 1984 comes to mind.<br>
> <br>
> The problem here is that Google Wave is for *collaboration* - which means<b=
> r>
> that you&#39;re communicating with people you already know, and presumably<=
> br>
> trust to some degree or other. &quot;Hey Joe, look at this PDF and tell me<=
> br>
> what you think&quot; is something reasonable when the request comes from so=
> mebody<br>
> who Joe knows and who has sent Joe PDF&#39;s in the past.<br>
> <br>
> I guarantee that if every time you receive a document that appears to be fr=
> om<br>
> your boss, you call back and ask if they really intended to send a document=
> or<br>
> if it&#39;s a virus, your boss will get very cranky with you very fast.<br>
> <br>
> Let&#39;s look at that original advisory again:<br>
> <div class=3D"im"><br>
> &gt;&gt; An attacker could upload his malware to a wave and share it to his=
> <br>
> &gt;&gt; Google Wave contacts.<br>
> <br>
> </div>Now change that to &quot;An attacker could trick/pwn some poor victim=
> into uploading<br>
> the malware to a wave....&quot; =A0Hilarity ensues.<br>
> <br>
> <br>
> <br>
> </blockquote></div><br>
>
> --000e0cd2e002580025047da0b22e--
>
>
> --===============1022691582==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> --===============1022691582==--
>
>

http://www.cgisecurity.com/



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/