Full Disclosure mailing list archives
CAU-2005-0001: Chat Service Users - "Oops! Wrong Window" Information Disclosure
From: "I)ruid" <druid () caughq org>
Date: Fri, 01 Apr 2005 10:45:12 -0600
____ ____ __ __ / \ / \ | | | | ----====####/ /\__\##/ /\ \##| |##| |####====---- | | | |__| | | | | | | | ___ | __ | | | | | ------======######\ \/ /#| |##| |#| |##| |######======------ \____/ |__| |__| \______/ Computer Academic Underground http://www.caughq.org Security Advisory ===============/======================================================== Advisory ID: CAU-2005-0001 Release Date: 04/01/2005 Title: Chat Service Users - "Oops! Wrong Window" Information Disclosure Application/OS: Users of All Chat Services Topic: Risk of sensitive information disclosure Vendor Status: Multiple Vendor - N/A Attributes: Information Disclosure, Remote Advisory URL: http://www.caughq.org/advisories/CAU-2005-0001.txt Author/Email: I)ruid (druid () caughq org) ===============/======================================================== Overview ======== A potential information disclosure vulnerability exists with all users of chat services. When users do not adequately pay attention to which window or application has focus on their workstation, they may inadvertently type sensitive information like passwords or personal information into the chat service. Impact ====== Sensitive information may be disclosed by a careless user. Severity varies depending on the user, the type of information and the number of other users in the chat service that the user is logged into. Frequently, this information can contain passwords, sensitive personal information, or potential blackmail material that was meant for a private chat channel or "room". In the case of passwords or other types of authentication information, the usefulness of such information generally diminishes fairly quickly as the user immediately realizes that the information is compromised and may move to change their authentication information. In such cases, a race-condition is introduced between the user changing the authentication information and the attacker attempting to identify where the information may be used to authenticate and using that information to gain access. Affected Systems ================ All users currently logged into any chat system. Technical Explanation ===================== The currently selected (or active) window or application in a windowed desktop environment is said to have "focus". When a careless user becomes distracted or disoriented, often due to blatant and gratuitous intoxication, they may inadvertently leave focus on their chat application while attempting to address an event caused by another application, such as a password prompt, web form asking for personal information, or even a conversation within another channel or "room" in the chat service. When these types of conditions occur, the requested information that the user thought was being handled by the application which generated the event is instead transmitted via the still-focused chat application onto the chat network where it is received by other, potentially malicious, users. The sensitive information is then generally followed by a "Oops! wrong window." message of some form as the user tries to play off their obvious incompetence as just a harmless accident. Solution & Recommendations ========================== Pay attention to what you are doing when logged into chat services. Exploitation ============ Log into any affected chat service. Join a channel, or "room", with a large number of participants. Wait for someone to send a message like "Oops! wrong window." or a similar variant, then note the preceding few messages from that user which may contain sensitive information. Credits & Gr33ts ================ The rest of the CAU crew, EFNet #C, NMRC, dc214, Octavius, Professor Julius Sumner Miller, NWH, the April Fool, and everyone who's ever typed "Oops! wrong window."
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- CAU-2005-0001: Chat Service Users - "Oops! Wrong Window" Information Disclosure I)ruid (Apr 01)