Re: [Full-disclosure] Gmail 0day
Hello Juergen, With all my respect, is it that hard to see that gaining access to a Gmail session can lead to your identity being stolen? Nowadays your webmail account means your online life/presence. Let's have a walk through attack shall we? 1. Your Gmail session is hijacked (i.e.: via the XSS PoC posted on FD) 2. Attacker searches for password in 'Inbox'/'Sent Mail'. - How many times have you clicked on Forgot password on MULTIPLE online accounts and the password (whether a new pass or the original one) emailed to you has not been changed from the time you got the forgotten password email? - How many users have emailed passwords to themselves so that they don't forget? - How many users use the same password on MULTIPLE online accounts (including merchant/e-commerce accounts)? - How many users have clicked on remember credit card details so that they don't have to re-enter their CC data every time they perform an online transaction? - Did you forget to disable your Gtalk chat history (Gtalk is still within the google.com domain) - Have you saved anything personal on other services such as Google docs/calendar/notebook? (or any other google.com service that doesn't require you to re-login once authenticated) 3. For most victims, this leads to a compromise of his/her online identity. If you fail to see the problem, then please think before you complain about damn, right now 0day are fucking XSS Posting a XSS PoC that opens an alert box doesn't have much merit perhaps. However, this is the equivalent of saying: hey, I can cause a BO condition. If you send X parameter with 500 bytes/chars or more, then EIP is overwritten and the attacked service crashes. Now compare that to actually compromising the server via the buffer overflow vulnerability. That's a DIFFERENT STORY. Same thing goes for any XSS. Now say, screw a cookie theft exploit for the Gmail XSS! (pardon my French). Make something more clever! Perhaps, you want a payload that scrapes all the victim's emails which contain keywords such as 'password', 'private', 'admin', and so on. Then, all the captured data is submitted to the attacker's site in the background (nothing suspicious is visually happening from the victim's point of view). Sure Gmail has CSRF protection, but that can be bypassed via XSS. After all, anti-CSRF tokens can be grabbed if URLs can be accessed within the security context of the target domain (which is possible via XSS). If you consider all the aforementioned thoughts plus the fact that Gmail is one of the most popular webmail services, then you should be able to understand the power of a XSS vul on google.com ! Regards, AP. On Nov 8, 2007 8:55 PM, Juergen Marester [EMAIL PROTECTED] wrote: wow ! 0day ! damn, right now 0day are fucking XSS ... On 11/8/07, silky [EMAIL PROTECTED] wrote: worked for me minutes after it was posted. seems fixed now. On 11/9/07, crazy frog crazy frog [EMAIL PROTECTED] wrote: i tested it on gmail latest version,itsnot working for me? On Nov 8, 2007 7:04 AM, Scripter Hack [EMAIL PROTECTED] wrote: There is a html injection vulnerability in https://www.google.com. It is very critical,you can get the cookie to login into gmail ore other service. POC: https://www.google.com/accounts/ServiceLogin?service=mailrm=falsecontinue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dlltmpl=defaultltmplcache=2passive=truel#;/scriptscriptalert('xss')/script1-=1 More:http://xss2root.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- mike http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pagvac gnucitizen.org, ikwt.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
On Fri, Nov 09, 2007 at 09:09:48AM +1100, silky wrote: news at 11: xss leads to ability to steal data. that headline doesn't have enough 'fauxnews' in it.. how about voice id='themoviefoneguythatwasalsoingeicocommercials'tonight at 11... is your personal data in the hands of hackers? don't miss our 42 part special report that uncovers the truth about your personal data on the internet/voice regards, jonez -- http://zoidtechnologies.com/ -- software that sucks less ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
this means a lot today :) if you haven't noticed! On Nov 8, 2007 10:00 PM, silky [EMAIL PROTECTED] wrote: On 11/9/07, pdp (architect) [EMAIL PROTECTED] wrote: well this XSS can lead to so much data being stolen that it is not even funny! orly? -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
well this XSS can lead to so much data being stolen that it is not even funny! On Nov 8, 2007 8:55 PM, Juergen Marester [EMAIL PROTECTED] wrote: wow ! 0day ! damn, right now 0day are fucking XSS ... On 11/8/07, silky [EMAIL PROTECTED] wrote: worked for me minutes after it was posted. seems fixed now. On 11/9/07, crazy frog crazy frog [EMAIL PROTECTED] wrote: i tested it on gmail latest version,itsnot working for me? On Nov 8, 2007 7:04 AM, Scripter Hack [EMAIL PROTECTED] wrote: There is a html injection vulnerability in https://www.google.com. It is very critical,you can get the cookie to login into gmail ore other service. POC: https://www.google.com/accounts/ServiceLogin?service=mailrm=falsecontinue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dlltmpl=defaultltmplcache=2passive=truel#;/scriptscriptalert('xss')/script1-=1 More:http://xss2root.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- mike http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- pdp (architect) | petko d. petkov http://www.gnucitizen.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
wow ! 0day ! damn, right now 0day are fucking XSS ... On 11/8/07, silky [EMAIL PROTECTED] wrote: worked for me minutes after it was posted. seems fixed now. On 11/9/07, crazy frog crazy frog [EMAIL PROTECTED] wrote: i tested it on gmail latest version,itsnot working for me? On Nov 8, 2007 7:04 AM, Scripter Hack [EMAIL PROTECTED] wrote: There is a html injection vulnerability in https://www.google.com. It is very critical,you can get the cookie to login into gmail ore other service. POC: https://www.google.com/accounts/ServiceLogin?service=mailrm=falsecontinue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dlltmpl=defaultltmplcache=2passive=truel# /scriptscriptalert('xss')/script1-=1 More:http://xss2root.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- mike http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
On 11/9/07, pdp (architect) [EMAIL PROTECTED] wrote: well this XSS can lead to so much data being stolen that it is not even funny! orly? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
worked for me minutes after it was posted. seems fixed now. On 11/9/07, crazy frog crazy frog [EMAIL PROTECTED] wrote: i tested it on gmail latest version,itsnot working for me? On Nov 8, 2007 7:04 AM, Scripter Hack [EMAIL PROTECTED] wrote: There is a html injection vulnerability in https://www.google.com. It is very critical,you can get the cookie to login into gmail ore other service. POC: https://www.google.com/accounts/ServiceLogin?service=mailrm=falsecontinue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dlltmpl=defaultltmplcache=2passive=truel#;/scriptscriptalert('xss')/script1-=1 More:http://xss2root.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- mike http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
On 11/9/07, pdp (architect) [EMAIL PROTECTED] wrote: this means a lot today :) if you haven't noticed! of course i've noticed it's just pretty fucking obvious to absolutely everyone. i don't really see why you decided to point it out. news at 11: xss leads to ability to steal data. On Nov 8, 2007 10:00 PM, silky [EMAIL PROTECTED] wrote: On 11/9/07, pdp (architect) [EMAIL PROTECTED] wrote: well this XSS can lead to so much data being stolen that it is not even funny! orly? -- pdp (architect) | petko d. petkov http://www.gnucitizen.org -- mike http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Gmail 0day
This was listed as 'Fixed' at Xssed.com when released about 17 hours ago (or maybe earlier). Link (note: a mirror page generates JS pop-up etc.): http://www.xssed.com/mirror/25472/ - Juha-Matti silky [EMAIL PROTECTED] wrote: worked for me minutes after it was posted. seems fixed now. On 11/9/07, crazy frog crazy frog [EMAIL PROTECTED] wrote: i tested it on gmail latest version,itsnot working for me? On Nov 8, 2007 7:04 AM, Scripter Hack [EMAIL PROTECTED] wrote: There is a html injection vulnerability in https://www.google.com. It is very critical,you can get the cookie to login into gmail ore other service. POC: https://www.google.com/accounts/ServiceLogin?service=mailrm=falsecontinue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dlltmpl=defaultltmplcache=2passive=truel#;/scriptscriptalert('xss')/script1-=1 More:http://xss2root.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- mike http://lets.coozi.com.au/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Gmail 0day
There is a html injection vulnerability in https://www.google.com. It is very critical,you can get the cookie to login into gmail ore other service. POC: https://www.google.com/accounts/ServiceLogin?service=mailrm=falsecontinue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dlltmpl=defaultltmplcache=2passive=truel#;/scriptscriptalert('xss')/script1-=1 More:http://xss2root.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/