Researchers: Eight Google Services Vulnerabilities Revealed
The two security researchers explained how they found so many bugs in such a short space of time
The Calendar bug is one of my favorites because you get the user to execute the bug for youItzhak Avrahamsecurity researcher and founder, Zimperium
Security researchers unveiled eight vulnerabilities in Google services during the Hack in the Box conference in Amsterdam on Thursday -- but they claim to have discovered more than 100 such bugs over the past few months.
The two most interesting ones are the bugs found in Calendar and Analytics, said Itzhak Avraham, security researcher and founder of the Tel Aviv-based security firm Zimperium.
Cross-site-scripting (XSS) vulnerabilities are the most common bugs found in Google's services, Avraham and his fellow security researcher Nir Goldshlager said during their Hack in the Box presentation. XSS attacks -- allowing the execution of malicious code from one website or file as if it belonged to another -- are not just about stealing account data, but can also be used for hacking a victim's computer, they said. "Hacking your Gmail is not as interesting as hacking your computer," Avraham added.
"The Calendar bug is one of my favorites because you get the user to execute the bug for you," Avraham said. The researchers found a way to get a Calender user to trigger a XSS attack by using the application's sharing option. This was done by sharing the attackers' own calendar items with the victim more than five times, effectively spamming the user and encouraging him to delete the unwanted shared calendar items. After the user deleted five shared items an error message would pop-up saying the selected calendar item would not load, after which a stored XSS-attack would be triggered, allowing the attackers to hack into the victim's computer.
Analytics allowed attackers to send an XSS link to an administrator of a targeted Website by sending a URL. They were able to do that because In-Page Analytics, a feature that allows users to view data superimposed on their website within Analytics, accepts incoming requests
Avraham also highlighted the Analytics bug. According to him it is easy to see which sites use Analytics because the service's code can be spotted in the source of a Web page. Analytics allowed attackers to send an XSS link to an administrator of a targeted Website by sending a URL. They were able to do that because In-Page Analytics, a feature that allows users to view data superimposed on their website within Analytics, accepts incoming requests.
The researchers found two ways to exploit the vulnerability. One of them involved the attacker sharing his own In-Page Analytics profile with the victim. The victim then would receive a message that an Analytics profile was shared with him, enticing him to check who shared it, causing the attacker's XSS infected Web site to load into the In-Page viewer, executing the attack, allowing the attackers to hack the victims computer.
Avraham and Goldshlager called themselves bug hunters, hackers that actively look for bugs in software from vendors that pay a bounty for reports of vulnerabilities. Companies including Google, Facebook and Mozilla typically pay between $500 and $3,000 for bugs discovered in their software, the researchers said. According to them, the best way to find bugs in big services like that is keeping track of what the companies do, for instance by tracking acquisitions. Newly added services are not always as well protected, Avraham said.
The researchers also presented bugs they found in Google's Feedburner, Knol, FriendConnect and Picnik services, and in the Google Affiliate Network.
The bug they found in photo editing service Picnik involved an old version of the open source email application phpList, which is riddled with security holes, they said. Besides that, Google used the default user name and password for that application, they added.
"That was a very big mistake," Goldshlager said, adding that the vulnerability could have led to a full server compromise. The bug bounty hunters received $3,133.70 for the discovery of the leak.
All bugs reported to Google that they mentioned during Hack in the Box had been fixed before the presentation, the researchers said.
The CIA's decision to use Amazon's cloud is part of a broader IT shake-up to make the spy business more efficient.
The mysterious ‘Uroburos' cyberweapon named last week in Germany has been stalking its victims since as far back as 2005 and large enterprises and governments need to pay urgent attention to the threat it poses, UK security firm BAE Systems has urged.
With the new VMware Horizon DaaS offering, IT organizations can deploy enterprise-class virtual desktops to a public cloud, private cloud or seamlessly mix the two with a hybrid cloud deployment.
If every PC sold in the next 12 months was one destined to replace an existing Windows XP system, it would take more than a year and a half -- about 20 months -- to eradicate XP. Windows XP isn't going anywhere.