Full Disclosure mailing list archives
Re: Cross Site Identification (CSID) attack. Description and demonstration.
From: Benji <me () b3nji com>
Date: Wed, 13 Jan 2010 16:47:54 +0000
yes, but scarier BECAUSE IT INVOLVES FACEBOOK ARGH! On Wed, Jan 13, 2010 at 4:45 PM, Christian Sciberras <uuf6429 () gmail com>wrote:
I'm confused, isn't this just like XSRF (cross-site request forgery)? Regards, Chris. On Wed, Jan 13, 2010 at 4:33 PM, Ronen Z <ronen () quaji com> wrote:Hi, A new type of vulnerability is described in which publicly available information from social network sites obtained out of context, can beusedto identify a user in cases where anonymity is taken for granted. This attack (dubbed Cross Site Identification, or CSID) assumes the following scenario: A user that is currently logged on to her socialnetworkaccount visits a 3rd party site, supposedly anonymously, in anotherbrowsertab. The 3rd party site causes her browser to contact the social network site and exploit the vulnerability resulting in her identity beingdisclosedto the attacker. The 3rd party target site is not necessarily controlledbythe attacker. It could also be, for example, any site allowing userprovidedcontent that includes an image link (basically any forum or blog site). Other possibilities exist. While the information that is received by the attacker is technically publicly available, obtaining it in this manner effectively lifts theveilof anonymity from the user when interacting with the 3rd party site. Three social networks were tested and all were found to contain the vulnerability. These are Facebook, Orkut and Bebo. Some of the vulnerabilities were design flaws. The vulnerabilities are described and demonstrated. The sites were contacted in advance yet some of the vulnerabilities are still open. CSID is not bound only to social network sites but might be found on any site that authenticates its users. Various flavors of the attack are discussed. The post below contains a detailed description of the attack and its implications. It also includes details about the live vulnerabilitiesfound.Post/White Paper: http://blog.quaji.com/2009/12/out-of-context-information-disclosure.html Ronen Zilberman http://quaji.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Cross Site Identification (CSID) attack. Description and demonstration. Ronen Z (Jan 13)
- Re: Cross Site Identification (CSID) attack. Description and demonstration. Christian Sciberras (Jan 13)
- Re: Cross Site Identification (CSID) attack. Description and demonstration. Benji (Jan 13)
- Re: Cross Site Identification (CSID) attack. Description and demonstration. Christian Sciberras (Jan 13)
- Re: Cross Site Identification (CSID) attack. Description and demonstration. Ronen Z (Jan 16)
- Re: Cross Site Identification (CSID) attack. Description and demonstration. Christian Sciberras (Jan 16)
- Re: Cross Site Identification (CSID) attack. Description and demonstration. Benji (Jan 13)
- Re: Cross Site Identification (CSID) attack. Description and demonstration. Christian Sciberras (Jan 13)