> Well, that's exactly what I'm saying.  Pretending that this is some kind new
> exploit class simply because Google Wave is used is stupid.  This is the
> logical extension of e-mail and instant message and social network attacks
> to the next potential platform.

Following in the history of the security community, we should coin a buzzword 
on this old issue with a new spin. 
WaveJacking sounds like a perfect fit.
</sarcasm>


> On Tue, Jan 19, 2010 at 8:10 PM, <valdis.kletni...@vt.edu> wrote:
> 
> > On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:
> > > Yeah, no kidding.  Surprise! Untrusted files can be malicious.  If you
> > > accept files from those whom you do not trust, whether its via e-mail,
> > > instant message, Google Wave, or physical media, you well and truly
> > deserve
> > > the virus that'll eventually infect your machine.
> >
> > Let's see.. *HOW* many years ago did we first see e-mail based viruses that
> > depended on people opening them because they came from people they already
> > knew?  'CHRISTMA EXEC' in 1984 comes to mind.
> >
> > The problem here is that Google Wave is for *collaboration* - which means
> > that you're communicating with people you already know, and presumably
> > trust to some degree or other. "Hey Joe, look at this PDF and tell me
> > what you think" is something reasonable when the request comes from
> > somebody
> > who Joe knows and who has sent Joe PDF's in the past.
> >
> > I guarantee that if every time you receive a document that appears to be
> > from
> > your boss, you call back and ask if they really intended to send a document
> > or
> > if it's a virus, your boss will get very cranky with you very fast.
> >
> > Let's look at that original advisory again:
> >
> > >> An attacker could upload his malware to a wave and share it to his
> > >> Google Wave contacts.
> >
> > Now change that to "An attacker could trick/pwn some poor victim into
> > uploading
> > the malware to a wave...."  Hilarity ensues.
> >
> >
> >
> >
> 
> --000e0cd2e002580025047da0b22e
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> Well, that&#39;s exactly what I&#39;m saying.=A0 Pretending that this is so=
> me kind new exploit class simply because Google Wave is used is stupid.=A0 =
> This is the logical extension of e-mail and instant message and social netw=
> ork attacks to the next potential platform.<br>
> <br>-- Rohit Patnaik<br><br><div class=3D"gmail_quote">On Tue, Jan 19, 2010=
>  at 8:10 PM,  <span dir=3D"ltr">&lt;<a href=3D"mailto:valdis.kletni...@vt.e=
> du">valdis.kletni...@vt.edu</a>&gt;</span> wrote:<br><blockquote class=3D"g=
> mail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt=
>  0pt 0pt 0.8ex; padding-left: 1ex;">
> <div class=3D"im">On Tue, 19 Jan 2010 19:01:36 CST, Rohit Patnaik said:<br>
> &gt; Yeah, no kidding. =A0Surprise! Untrusted files can be malicious. =A0If=
>  you<br>
> &gt; accept files from those whom you do not trust, whether its via e-mail,=
> <br>
> &gt; instant message, Google Wave, or physical media, you well and truly de=
> serve<br>
> &gt; the virus that&#39;ll eventually infect your machine.<br>
> <br>
> </div>Let&#39;s see.. *HOW* many years ago did we first see e-mail based vi=
> ruses that<br>
> depended on people opening them because they came from people they already<=
> br>
> knew? =A0&#39;CHRISTMA EXEC&#39; in 1984 comes to mind.<br>
> <br>
> The problem here is that Google Wave is for *collaboration* - which means<b=
> r>
> that you&#39;re communicating with people you already know, and presumably<=
> br>
> trust to some degree or other. &quot;Hey Joe, look at this PDF and tell me<=
> br>
> what you think&quot; is something reasonable when the request comes from so=
> mebody<br>
> who Joe knows and who has sent Joe PDF&#39;s in the past.<br>
> <br>
> I guarantee that if every time you receive a document that appears to be fr=
> om<br>
> your boss, you call back and ask if they really intended to send a document=
>  or<br>
> if it&#39;s a virus, your boss will get very cranky with you very fast.<br>
> <br>
> Let&#39;s look at that original advisory again:<br>
> <div class=3D"im"><br>
> &gt;&gt; An attacker could upload his malware to a wave and share it to his=
> <br>
> &gt;&gt; Google Wave contacts.<br>
> <br>
> </div>Now change that to &quot;An attacker could trick/pwn some poor victim=
>  into uploading<br>
> the malware to a wave....&quot; =A0Hilarity ensues.<br>
> <br>
> <br>
> <br>
> </blockquote></div><br>
> 
> --000e0cd2e002580025047da0b22e--
> 
> 
> --===============1022691582==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> --===============1022691582==--
> 
> 
http://www.cgisecurity.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to