Full Disclosure mailing list archives
Re: The email that hacks you
From: aditya <nauty.me04 () gmail com>
Date: Wed, 28 Nov 2012 18:14:06 +0530
Please if you could share the code, I would like to test it for my router as well. Thanks On Wed, Nov 28, 2012 at 6:02 PM, Bogdan Calin <bogdan () acunetix com> wrote:
Thanks aditya, The code is not published on the blog post but it's visible in the video. It's very simple to reproduce this problem. On 11/28/2012 1:53 PM, aditya wrote:I totally agree with Christian, it is as insane as passing username andpasswords using GETrequests. But congrats Bogdan for the bringing to us a nice hack. Have u shared the code as well Bogdan? On Wed, Nov 28, 2012 at 5:07 PM, Christian Sciberras <uuf6429 () gmail com<mailto:uuf6429 () gmail com>>wrote: From an architectural perspective, "auto logins" or whatever they'recalled should work througha random string, just as most providers already do. There is absolutely no reason to pass the username/password from aURL, especially when in plaintext as in these cases. Since there is no loss of features (there are safer, saner, sensiblealternatives), I think thisis better considered a bug, since it is never actually needed in thefirst place.Also, with the random token system, I think it is best to stillrequire the user/pass when theURL the user is directed to is going to do something such asmodifying/updating stuff.Chris. On Wed, Nov 28, 2012 at 12:15 PM, Bogdan Calin <bogdan () acunetix com <mailto:bogdan () acunetix com>> wrote: Yes, I agree with you. However, my opinion it that it should be fixed once and for allin iOS/Webkit (and the otherbrowsers) by disabling resources loaded with credentials. At some point, as a protection for phishing, URLs with the format scheme://username:password@hostname/ were disabled. When you enter in the browser bar something like that it doesn'twork in most browsers.I was surprised to see that doing something like <image src='scheme://username:password@hostname/path'> works in Chromeand Firefox but if you enter thesame URL in the browser bar it doesn't work. This doesn't workin Internet Explorer, whichis the right behavior in my opinion. I don't see any good reason why something like this should work.Closing this in browserswill solve this problem once and for all. On 11/28/2012 1:00 PM, Guifre wrote: > Hello, > > "I can also confirm that this attack works on iPhone, iPad andMac's> default mail client." > > Of course, it works anywhere where arbitrary client-side codecan be> executed... IMAHO, the issue here is not your iphone loadingimages,> there are millions of attack vectors to trigger this attack...The> problem is the CSRF weaknesses of your router admin panel thatshould> be fixed by synchronizing a secret token or by using any otherwell> known mitigation strategy against these attacks. > > Best Regards, > Guifre. > -- Bogdan Calin - bogdan [at] acunetix.com <http://acunetix.com> CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog Follow us on Twitter - http://www.twitter.com/acunetix _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Regards Aditya Balapure-- Bogdan Calin - bogdan [at] acunetix.com CTO Acunetix Ltd. - http://www.acunetix.com Acunetix Web Security Blog - http://www.acunetix.com/blog Follow us on Twitter - http://www.twitter.com/acunetix
-- Regards Aditya Balapure
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- The email that hacks you Bogdan Calin (Nov 28)
- Re: The email that hacks you Guifre (Nov 28)
- Re: The email that hacks you Bogdan Calin (Nov 28)
- Re: The email that hacks you Christian Sciberras (Nov 28)
- Re: The email that hacks you aditya (Nov 28)
- Re: The email that hacks you Bogdan Calin (Nov 28)
- Re: The email that hacks you aditya (Nov 28)
- Re: The email that hacks you Bogdan Calin (Nov 28)
- Re: The email that hacks you Guifre (Nov 28)