Researchers: Eight Google Services Vulnerabilities Revealed
The two security researchers explained how they found so many bugs in such a short space of time
The Calendar bug is one of my favorites because you get the user to execute the bug for youItzhak Avrahamsecurity researcher and founder, Zimperium
Security researchers unveiled eight vulnerabilities in Google services during the Hack in the Box conference in Amsterdam on Thursday -- but they claim to have discovered more than 100 such bugs over the past few months.
The two most interesting ones are the bugs found in Calendar and Analytics, said Itzhak Avraham, security researcher and founder of the Tel Aviv-based security firm Zimperium.
Cross-site-scripting (XSS) vulnerabilities are the most common bugs found in Google's services, Avraham and his fellow security researcher Nir Goldshlager said during their Hack in the Box presentation. XSS attacks -- allowing the execution of malicious code from one website or file as if it belonged to another -- are not just about stealing account data, but can also be used for hacking a victim's computer, they said. "Hacking your Gmail is not as interesting as hacking your computer," Avraham added.
"The Calendar bug is one of my favorites because you get the user to execute the bug for you," Avraham said. The researchers found a way to get a Calender user to trigger a XSS attack by using the application's sharing option. This was done by sharing the attackers' own calendar items with the victim more than five times, effectively spamming the user and encouraging him to delete the unwanted shared calendar items. After the user deleted five shared items an error message would pop-up saying the selected calendar item would not load, after which a stored XSS-attack would be triggered, allowing the attackers to hack into the victim's computer.
Analytics allowed attackers to send an XSS link to an administrator of a targeted Website by sending a URL. They were able to do that because In-Page Analytics, a feature that allows users to view data superimposed on their website within Analytics, accepts incoming requests
Avraham also highlighted the Analytics bug. According to him it is easy to see which sites use Analytics because the service's code can be spotted in the source of a Web page. Analytics allowed attackers to send an XSS link to an administrator of a targeted Website by sending a URL. They were able to do that because In-Page Analytics, a feature that allows users to view data superimposed on their website within Analytics, accepts incoming requests.
The researchers found two ways to exploit the vulnerability. One of them involved the attacker sharing his own In-Page Analytics profile with the victim. The victim then would receive a message that an Analytics profile was shared with him, enticing him to check who shared it, causing the attacker's XSS infected Web site to load into the In-Page viewer, executing the attack, allowing the attackers to hack the victims computer.
Avraham and Goldshlager called themselves bug hunters, hackers that actively look for bugs in software from vendors that pay a bounty for reports of vulnerabilities. Companies including Google, Facebook and Mozilla typically pay between $500 and $3,000 for bugs discovered in their software, the researchers said. According to them, the best way to find bugs in big services like that is keeping track of what the companies do, for instance by tracking acquisitions. Newly added services are not always as well protected, Avraham said.
The researchers also presented bugs they found in Google's Feedburner, Knol, FriendConnect and Picnik services, and in the Google Affiliate Network.
The bug they found in photo editing service Picnik involved an old version of the open source email application phpList, which is riddled with security holes, they said. Besides that, Google used the default user name and password for that application, they added.
"That was a very big mistake," Goldshlager said, adding that the vulnerability could have led to a full server compromise. The bug bounty hunters received $3,133.70 for the discovery of the leak.
All bugs reported to Google that they mentioned during Hack in the Box had been fixed before the presentation, the researchers said.
Trends such as mobility, security, the Internet of Things, and Big Data all have one thing in common – they drive huge amounts of data. And to manage that volume of data, storage is critical, according to NetApp A/NZ managing director, Steve Manley.
Google plans to serve most of its ads over encrypted HTTPS connections by the end of June, a move that will protect against some ad hijacking attacks and will encourage website owners to enable encryption on their Web properties.
Microsoft plans to introduce a new cloud platform service that may eliminate the need to worry about scaling up an application as it grows in popularity.
Microsoft already said it intends to launch Windows 10 this summer, but now we have a better idea of exactly when that might happen, courtesy of AMD. During the company's quarterly earnings call late last Thursday, AMD CEO Lisa Su let slip that Windows 10 would launch in July.