Full Disclosure mailing list archives
Re: Hacking WolframAlpha
From: Lincoln Anderson <ayblinkin () gmail com>
Date: Wed, 25 Apr 2012 11:19:52 -0500
This is rather low-hanging fruit. But I suppose someone has to disclose the low hanging fruit. Aside from abusing WolframAlpha's API, I'm not sure I see that this is that huge an accomplishment. I do find it somewhat silly that unobfuscated appid's are passed to the API over an unsecured connection, but meh. My access to the API getting cut would be an annoyance, and I would certainly be non-plussed about that if I were one of the poor souls who paid for a bigger better faster stronger query plan, but still, meh. Maybe I'm missing out on the gravity of this by not using the WolframAlpha API. Of course, I'm assuming the real point here *is* that the appid is passed unobfuscated and unsecured, and *not* that I can go trawling for appid's on Google. The former is somewhat interesting to the niche of WolframAlpha API users. The latter is rather old news under the heading "I can find a disturbing amount of private information using a properly formatted Google query". Patching that vulnerability will only be accomplished through reeducation and strategic employment modifications. On Tue, Apr 24, 2012 at 2:50 PM, Adam Behnke <adam () infosecinstitute com>wrote:
Sharing source code with peers is one thing; sharing secrets over a public medium is another. The all-seeing eye of Google has no mercy, and once the secret has been seen, indexed, and copied to clone sites, it is no longer a secret. Now combine the search power of Google with the computational power of WolframAlpha and the results are limitless! It's raining data from these saturated clouds, and you just need to hold out your hands for a taste: http://resources.infosecinstitute.com/hacking-wolframalpha/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Hacking WolframAlpha Adam Behnke (Apr 24)
- Re: Hacking WolframAlpha Lincoln Anderson (Apr 25)