Full Disclosure mailing list archives
Re: NSOADV-2010-002: Google Wave Design Bugs
From: omg wtf <hexmasta () gmail com>
Date: Tue, 19 Jan 2010 15:25:47 -0600
Apparently not. Read Google's Response: 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. On Tue, Jan 19, 2010 at 7:11 AM, dramacrat <yirimyah () gmail com> wrote:
This is the stupidest advisory I have read on this list in at least two months. 2010/1/19 NSO Research <nso-research () sotiriu de> _________________________________________Security Advisory NSOADV-2010-002 _________________________________________ _________________________________________ Title: Google Wave Design Bugs Severity: Low Advisory ID: NSOADV-2010-002 Found Date: 16.11.2009 Date Reported: 18.11.2009 Release Date: 19.01.2010 Author: Nikolas Sotiriu (lofi) Mail: nso-research at sotiriu.de URL: http://sotiriu.de/adv/NSOADV-2010-002.txt Vendor: Google (http://www.google.com/) Affected Products: Google Wave Preview (Date: =< 14.01.2010) Not Affected Component: Google Wave Preview (Date: >= 14.01.2010) Remote Exploitable: Yes Local Exploitable: No Patch Status: partially patched Discovered by: Nikolas Sotiriu Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: For the permission to use his Policy Background: =========== Google Wave is an online tool for real-time communication and collaboration. A wave can be both a conversation and a document where people can discuss and work together using richly formatted text, photos, videos, maps, and more. (Product description from Google Website) Description: ============ All this possible attacks are the result of playing 4 hours with Google Wave. I didn't check all the funny stuff, which is possible with the Wave. 1. Gadget phishing attack: -------------------------- The Google Wave Gadget API can be used for phishing attacks. An attacker can build his own phishing Gadget, share it with his Google Wave contacts an hopefully get the login credentials from a user. This behavior is normal. The Problem is, that this "bug" makes it easier to steal logins. 2. Virus spreading attack: -------------------------- Uploads Files are not scanned for malicious code. An attacker could upload his malware to a wave and share it to his Google Wave contacts. Proof of Concept : ================== A proof of concept gadget can be found here: http://sotiriu.de/demos/phgadget.xml Solution: ========= 1. No changes made here. Workaround: Don't trust Waves. 2. Google builds in AV scanning. Disclosure Timeline (YYYY/MM/DD): ================================= 2009.11.16: Vulnerability found 2009.11.17: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2009.12.03) to Vendor 2009.11.23: Vendor response 2009.12.01: Ask for a status update, because the planned release date is 2009.12.03. 2009.12.03: Google Security Team asks for 2 more week to patch. 2009.12.03: Changed release date to 2009.12.17. 2009.12.15: Ask for a status update, because the planned release date is 2009.12.17. => No Response 2009.12.21: Ask for a status update. 2009.12.29: Google Security Team informs me, that there are no changes made before 2010.01.03. 2010.01.14: Google Security Team informs me, that uploaded files will be now scanned for malware. Google Gadgets will be not updated. 2010.01.19: Release of this Advisory _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- NSOADV-2010-002: Google Wave Design Bugs NSO Research (Jan 19)
- Re: NSOADV-2010-002: Google Wave Design Bugs dramacrat (Jan 19)
- Re: NSOADV-2010-002: Google Wave Design Bugs omg wtf (Jan 19)
- Re: NSOADV-2010-002: Google Wave Design Bugs Rohit Patnaik (Jan 19)
- Re: NSOADV-2010-002: Google Wave Design Bugs Valdis . Kletnieks (Jan 19)
- Re: NSOADV-2010-002: Google Wave Design Bugs omg wtf (Jan 20)
- Re: NSOADV-2010-002: Google Wave Design Bugs Christian Sciberras (Jan 20)
- Re: NSOADV-2010-002: Google Wave Design Bugs Rohit Patnaik (Jan 20)
- Re: NSOADV-2010-002: Google Wave Design Bugs bugtraq (Jan 21)
- Re: NSOADV-2010-002: Google Wave Design Bugs dramacrat (Jan 21)
- Re: NSOADV-2010-002: Google Wave Design Bugs dramacrat (Jan 19)
- <Possible follow-ups>
- Re: NSOADV-2010-002: Google Wave Design Bugs sunjester (Jan 23)