Slashdot Mirror
Cross Site Scripting Discovered in Google
Security Test writes "Yair Amit posted a message early this morning to The Web Security Mailing List outlining a Cross Site Scripting flaw in Google that allows an attacker to carry out Phishing Attacks."
Get off my launchpad!
Although the article details an interesting exploit, Google fixed this on the 1st of this month--The title is somewhat misleading. It is useful to know that Google fixed this vulnerability 2 weeks after it was discovered, on November 15th.
Also, for those of us unaccustomed to DD/MM/YYYY date format, that's the format of all dates in the article.
Grammar Lesson: you're is a contraction of "you are"; your means you possess something; yore means days gone by.
From the message:
--[ Discovery Date: 15/11/2005
--[ Initial Vendor Response: 15/11/2005
--[ Issue solved: 01/12/2005
Message posted: 21/12/2005
They did give them a chance to fix it first.
They've had others in the past, but were quick to fix them. They have even sent t-shirts as thanks for the help. Other sites are not so friendly or fast. This site shows active security holes in various sites that have gone unresolved. (CSS, insecure logins, etc)
-- these are only opinions and they might not be mine.
A known issue is better then an unknown issue. With a known issue people will be more aware and be less likly to fall victum.
Reality is a big nasty dragon. Fortunately I don't believe in dragons.
I turned javascript off in 1999, just one less glaring security issue for me to address. Before anyone starts talking smack about responsive web apps, just remind me what Ed Felton said about flying pigs.
That's right, disable js and fix the web!
response was something like: "We will work on it; or we wont - but we wont tell you
Which sucks...
Here we go:
Original:i on=SelectMenu&SMID=EigenesOrderbuch&MenuName=&Init Href=http://www.consti.de/secure
/Fälschung --> Imitation /
https://www.vr-ebanking.de/index.php?RZBK=0280
MY Version (XSS):
https://www.vr-ebanking.de/help;jsessionid=XA?Act
... Hope they change their mind, sometime. :)
Consti / thr0n
Now we're going to start posting every freaking XSS we find? This is a VERY low impact XSS vul. Hell it's not even persistent. Who freaking cares? Are we going to post the slew of recent Yahoo XSS bugs too? WHat about the bug in Google Analytics which allowed you to iterate through all the customer domains?
If there ever was an endorsement for web-based applications, this is it. When a bug is fixed in Windows or Linux, it stays active in the wild for months or years because many users don't update. With web apps the user basically gets an "update" each time they visit the site. If Google fixed the problem on December 1, the vulnerability could have been announced the same day without any kind of negative impact.
The downside is that this only works if the app provider is a proprietary vendor with a closed architecture. If 3rd parties are allowed to create extensions or if users can create their own utilities/add-ons then centralized patching would likely introduce the same types of incompatibilities and breakages that current OS patches can introduce. Worse, centralized control might mean that users have no choice but to live with the patched version.
Two wrongs don't make a right, but three lefts do.
I'm always blown away by how the Internet security market works and self-correct itself without any regulation.
A major web site has a flaw. White hat and black hat "hackers" find that flaw, exploit it, and either abuse it or let the web site know about it. The web programmers go in and close the exploit because it affects how their customers use the service and could open them up to some liability.
This is the way the free market works. I'm a huge fan of how quickly the Internet (anthropomorphically) adapts to the changing needs of the billion of users. Some exploits that aren't fixed by the owners of code are fixed by third parties -- sometimes for profit and sometimes for free. Before we can even write one law to attempt to solve problems, others are already attacking the problems.
I'd like to see it stay this way. Every time we move forward to create legislation to protect the end user (see CAN-SPAM and a myriad of other laws), we see failure time and again. The loopholes in the laws make them irrelevant quickly, and all we get out of that is wasted money and wasted time.
Let the growth and expansion occur freely. We'll see some bad times (new viruses and new spam exploits) but we'll see those fixed in short order. If they don't get fixed, why is the Internet still chugging along and growing every day?
"How common are XSS holes?"
I had to laugh at that one.
Only an XSShole would steal your cookies.
He who knows best knows how little he knows. - Thomas Jefferson
Someone is trying to get their Pagerank up by submitting the story with a name of "Security Test" and linking to their shoddy website. The site has only a few links, no content, and it says the page is for sale. Will slashdot ever get their shit together and stop posting submissions with blatent pagerank-whoring links like this?
This is reported as a Google.com bug, which is partially true. But this is only one half of the problem. The other half of the problem (mentioned in the full article) is due to a dubious feature in Internet Explorer: when it gets a page without a specified character encoding, it does not rely on default values for the encoding (which should be iso-8859-1 for HTML or UTF-8 for XHTML).
Instead, Internet Exploerer tries to guess the encoding of the contents by looking at the first 4096 bytes of the page and checking the non-ASCII characters. In the case of the cross-site scripting attack decribed here, the problem is that IE would silently set the encoding of a page to UTF-7 in case some characters in the first 4096 bytes looked like UTF-7. This silent conversion to UTF-7 by Internet Explorer in a text that Google assumed to use the default encoding allowed the attackers to bypass the way Google was filtering "dangerous" characters in some URLs.
The article puts the full blame for the vulnerability on Google.com. I think that a part of the blame should also be shared by the Internet Explorer designers (and any other browser that does unexpected things while trying to guess what the user "really meant").
They can even go to multiple problems at the same time. If this problem were more prevelant, a hacker could craft a page that steals ALL your online logins/cookies/etc from any site that had the problem. They would just need to craft a page with multiple framesets that load up all the vunlerable pages.
XSS is also making news because it's being used by phishers to forge stuff from the target domain. All the anti phishing stuff relies on which domain a link is going to.. but in a sense, XSS allows phishers to put their own page (ie. fake login) on the target domain! It is very much a problem for any site that deals with personal information, or has trusted content.
-- these are only opinions and they might not be mine.
..... seems to be very good. They acknowledged the problem quickly (the same day if I recall correctly) and fixed it within days. Maybe instead of treating this posting as if there is a bug out there that is a clear and present danger, perhaps we should be talking about how good their response was and why other software companies aren't as responsive?
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
While it may be one thing to pull apart IE and Windows XP (they can be done remotely, in an unconnected lab, with zero impact to a larger community), where does one acquire the balls to go and tinker with a hugely popular online site like google, where the mere act of investigation -may- impact the operational stability of the site.
Now, I know that XSS is benign but whose to say that there wouldn't be some ping-of-death like characteristic with a bizarre UTF-7 encoding? While it's doubtful that google would have such poor quality in their applications, why does the white-hat security community get carte blanche access to test it out?
I could be bitter because I sent a similar email to google (regarding their gmail login account and the 'continue=' varaiable) in March but never heard a reply. But to google's credit, and my defense, I only indicated that it looked highly suspicious and never took the next step to craft an actual attack and send them the code.
If a security engineer should happen across the logs and start to see a bunch of unusual encodings, or what appears to be a recon of the website's characteristics, what level of forgiveness would be applied if the source of such network activity was from eEye, or Watchfire? And what if it was bankofamerica.com instead of google?
I am all for giving vendors a reasonable amount of time to fix a defect and then provide full disclosure but I'm not keen to keep paying for watchfire (eEye, iss, etc..) to go to school and get free press based on unauthorized accesses to my production systems - where is the balance?
I don't know if it's related, but I've noticed a couple of times that when I get the search result page, I get asked to set a cookie from one of the sites in the results, without clicking on them. (my Firefox is configured to ask me to set cookies.). This is somewhat disturbing, I mean if my FF was set to accept cookies automatically, I would have cookies for sites I have never visited...
Did anyone else notice this?
Here we go again!
It seems odd to blame this on Google. According to the linked mailing list posting, the problem is caused by the "auto detect character set" feature in IE (and probably other browsers,) and the lack of a "charset" parameter in the HTTP response from Google. The HTTP spec is pretty clear that a missing charset parameter means ISO-8859-1, not "browser should guess", and certainly not UTF-7.
So isn't it really the "auto detect" feature in the browser that causes the vulnerability, and not Google's lack of "charset encoding enforcement" as the mailing list posting from Watchfire Research claims? Let's put the blame where it belongs. I say we should applaud Google for going the extra kilometer to protect users with non-compliant browsers.
12/01/2005
No offence but i think that this US format is plain stupid... really...
Is that 12 of january or 1 of december? its a format that have several possible intepretations and without any logic (middle time scale/low/high !?!)
I can understand very well the 2005/12/01 and the 01/12/2005 (i prefer the first, specially in computers, but last is better for reading on paper) but the mixed US format is wierd and dangerous...
Most of the time looks like you must guess the correct date.
so why dont the US kill this stupid format?
Higuita
In an earlier XSS exploit, I wrote a javascript that could be injected into a citibank site. It would automatically go through the ENTIRE money transfer process, including confirmations. (It was not used on other people of course, and they shut down that site evetually) Other examples I have made included fake articles on NYTimes site and stolen cookies from microsoft.com
-- these are only opinions and they might not be mine.