Bugtraq mailing list archives
Re: New Bug KESM in GoogleTalk
From: Cory Altheide <cory () google com>
Date: Fri, 11 Nov 2005 11:35:26 -0800
From: natalylopez380 () hotmail com To: bugtraq () securityfocus com Subject: New Bug KESM in GoogleTalk Hi!! My name is Nataly Lopez, I'm a 17 years old girl living in Venezuela; I have always loved computer security because that's also my father's work. Well, the reason for me to post this is for telling you about a bug in Google Talk I discovered with my friend chris77 (#velug @ irc.freenode.net) this afternoon. Google Talk's excellent features allow the user to know when contacts send mails without configuring any passports, etc., well, you know that. What's really funny is: one can generate remote errors in the users' systems connected to Google Talk, and thus creating a kind of DoS. So Google Talk stops working if it has email notification enabled: it suffices to type this command in a Linux shell (nail must be installed of course): echo kill | nail -s Kill -r "" victim () gmail com This instruction is quite simple, and will send an email to the user being connected to Google Talk from a certain "unknown sender", and as you can see, GoogleTalk Windows client cannot notify <> is sending an email. Therefore, an error windows appears on screen: [ Google Talk encountered an internal error, and must now close. Ok to report this error to Google? ] [Yes] [No] We called this bug KESM, which stands for "Killer Empty Sender Message" :) and one can easily implement it into a loop, keeping the victim busy clicking on the YES button and resetting his connection to Google Talk. That's all for now folks :-)
Google has investigated this report and verified the validity of this bug. It is fixed in the current version of Google Talk (1.0.0.76), which is available at http://www.google.com/talk/. Existing users are being updated automatically. We take the security of our services and users very seriously, and work to rapidly resolve any reported vulnerabilities. In the interest of minimizing the impact that security vulnerabilities have on our end users, we highly encourage anyone who discovers a vulnerability in a Google product or service to follow responsible disclosure policies by contacting us first at security () google com. -- -- Cory Altheide -- Incident Response Lead -- Google Security Team -- security () google com
Current thread:
- New Bug KESM in GoogleTalk natalylopez380 (Nov 09)
- <Possible follow-ups>
- Re: New Bug KESM in GoogleTalk crowdat (Nov 10)
- Re: New Bug KESM in GoogleTalk Cory Altheide (Nov 14)
- Re: New Bug KESM in GoogleTalk kahrny (Nov 18)