[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] The email that hacks you
From: aditya <nauty.me04 () gmail ! com>
Date: 2012-11-28 12:56:06
Message-ID: CAH4bqJNXo6jWUfypxH=O2gmw5Bkte1H4MQDQUU96wAUzNXo42Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Please if you could share the code, I would like to test it for my router
as well.
Thanks
On Wed, Nov 28, 2012 at 6:02 PM, Bogdan Calin <bogdan@acunetix.com> wrote:
> Thanks aditya,
>
> The code is not published on the blog post but it's visible in the video.
> It's very simple to reproduce this problem.
>
> On 11/28/2012 1:53 PM, aditya wrote:
> > I totally agree with Christian, it is as insane as passing username and
> passwords using GET
> > requests. But congrats Bogdan for the bringing to us a nice hack.
> >
> > Have u shared the code as well Bogdan?
> >
> > On Wed, Nov 28, 2012 at 5:07 PM, Christian Sciberras <uuf6429@gmail.com<mailto:
> uuf6429@gmail.com>>
> > wrote:
> >
> > From an architectural perspective, "auto logins" or whatever they're
> called should work through
> > a random string, just as most providers already do.
> > There is absolutely no reason to pass the username/password from a
> URL, especially when in plain
> > text as in these cases.
> > Since there is no loss of features (there are safer, saner, sensible
> alternatives), I think this
> > is better considered a bug, since it is never actually needed in the
> first place.
> >
> > Also, with the random token system, I think it is best to still
> require the user/pass when the
> > URL the user is directed to is going to do something such as
> modifying/updating stuff.
> >
> >
> > Chris.
> >
> >
> >
> > On Wed, Nov 28, 2012 at 12:15 PM, Bogdan Calin <bogdan@acunetix.com
> > <mailto:bogdan@acunetix.com>> wrote:
> >
> > Yes, I agree with you.
> >
> > However, my opinion it that it should be fixed once and for all
> in iOS/Webkit (and the other
> > browsers) by disabling resources loaded with credentials.
> >
> > At some point, as a protection for phishing, URLs with the format
> > scheme://username:password@hostname/ were disabled.
> > When you enter in the browser bar something like that it doesn't
> work in most browsers.
> >
> > I was surprised to see that doing something like <image
> > src='scheme://username:password@hostname/path'> works in Chrome
> and Firefox but if you enter the
> > same URL in the browser bar it doesn't work. This doesn't work
> in Internet Explorer, which
> > is the
> > right behavior in my opinion.
> >
> > I don't see any good reason why something like this should work.
> Closing this in browsers
> > will solve
> > this problem once and for all.
> >
> > On 11/28/2012 1:00 PM, Guifre wrote:
> > > Hello,
> > >
> > > "I can also confirm that this attack works on iPhone, iPad and
> Mac's
> > > default mail client."
> > >
> > > Of course, it works anywhere where arbitrary client-side code
> can be
> > > executed... IMAHO, the issue here is not your iphone loading
> images,
> > > there are millions of attack vectors to trigger this attack...
> The
> > > problem is the CSRF weaknesses of your router admin panel that
> should
> > > be fixed by synchronizing a secret token or by using any other
> well
> > > known mitigation strategy against these attacks.
> > >
> > > Best Regards,
> > > Guifre.
> > >
> >
> > --
> > Bogdan Calin - bogdan [at] acunetix.com <http://acunetix.com>
> > CTO
> > Acunetix Ltd. - http://www.acunetix.com
> > Acunetix Web Security Blog - http://www.acunetix.com/blog
> > Follow us on Twitter - http://www.twitter.com/acunetix
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> >
> > --
> > Regards
> > Aditya Balapure
> >
> >
>
> --
> Bogdan Calin - bogdan [at] acunetix.com
> CTO
> Acunetix Ltd. - http://www.acunetix.com
> Acunetix Web Security Blog - http://www.acunetix.com/blog
> Follow us on Twitter - http://www.twitter.com/acunetix
>
--
Regards
Aditya Balapure
[Attachment #5 (text/html)]
Please if you could share the code, I would like to test it for my router as \
well.<div><br></div><div>Thanks<br><br><div class="gmail_quote">On Wed, Nov 28, 2012 at 6:02 \
PM, Bogdan Calin <span dir="ltr"><<a href="mailto:bogdan@acunetix.com" \
target="_blank">bogdan@acunetix.com</a>></span> wrote:<br> <blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thanks aditya,<br> <br>
The code is not published on the blog post but it's visible in the video.<br>
It's very simple to reproduce this problem.<br>
<div class="im"><br>
On 11/28/2012 1:53 PM, aditya wrote:<br>
> I totally agree with Christian, it is as insane as passing username and passwords using \
GET<br> > requests. But congrats Bogdan for the bringing to us a nice hack.<br>
><br>
> Have u shared the code as well Bogdan?<br>
><br>
</div>> On Wed, Nov 28, 2012 at 5:07 PM, Christian Sciberras <<a \
href="mailto:uuf6429@gmail.com">uuf6429@gmail.com</a> <mailto:<a \
href="mailto:uuf6429@gmail.com">uuf6429@gmail.com</a>>><br> <div class="im">> \
wrote:<br> ><br>
> From an architectural perspective, "auto logins" or whatever they're \
called should work through<br> > a random string, just as most providers already do.<br>
> There is absolutely no reason to pass the username/password from a URL, especially \
when in plain<br> > text as in these cases.<br>
> Since there is no loss of features (there are safer, saner, sensible alternatives), I \
think this<br> > is better considered a bug, since it is never actually needed in the \
first place.<br> ><br>
> Also, with the random token system, I think it is best to still require the user/pass \
when the<br> > URL the user is directed to is going to do something such as \
modifying/updating stuff.<br> ><br>
><br>
> Chris.<br>
><br>
><br>
><br>
> On Wed, Nov 28, 2012 at 12:15 PM, Bogdan Calin <<a \
href="mailto:bogdan@acunetix.com">bogdan@acunetix.com</a><br> </div><div><div class="h5">> \
<mailto:<a href="mailto:bogdan@acunetix.com">bogdan@acunetix.com</a>>> wrote:<br> \
><br> > Yes, I agree with you.<br>
><br>
> However, my opinion it that it should be fixed once and for all in iOS/Webkit (and \
the other<br> > browsers) by disabling resources loaded with credentials.<br>
><br>
> At some point, as a protection for phishing, URLs with the format<br>
> scheme://username:password@hostname/ were disabled.<br>
> When you enter in the browser bar something like that it doesn't work in most \
browsers.<br> ><br>
> I was surprised to see that doing something like <image<br>
> src='scheme://username:password@hostname/path'> works in Chrome and \
Firefox but if you enter the<br> > same URL in the browser bar it doesn't work. \
This doesn't work in Internet Explorer, which<br> > is the<br>
> right behavior in my opinion.<br>
><br>
> I don't see any good reason why something like this should work. Closing this \
in browsers<br> > will solve<br>
> this problem once and for all.<br>
><br>
> On 11/28/2012 1:00 PM, Guifre wrote:<br>
> > Hello,<br>
> ><br>
> > "I can also confirm that this attack works on iPhone, iPad and \
Mac's<br> > > default mail client."<br>
> ><br>
> > Of course, it works anywhere where arbitrary client-side code can be<br>
> > executed... IMAHO, the issue here is not your iphone loading images,<br>
> > there are millions of attack vectors to trigger this attack... The<br>
> > problem is the CSRF weaknesses of your router admin panel that should<br>
> > be fixed by synchronizing a secret token or by using any other well<br>
> > known mitigation strategy against these attacks.<br>
> ><br>
> > Best Regards,<br>
> > Guifre.<br>
> ><br>
><br>
> --<br>
</div></div>> Bogdan Calin - bogdan [at] <a href="http://acunetix.com" \
target="_blank">acunetix.com</a> <<a href="http://acunetix.com" \
target="_blank">http://acunetix.com</a>><br> <div class="HOEnZb"><div class="h5">> \
CTO<br> > Acunetix Ltd. - <a href="http://www.acunetix.com" \
target="_blank">http://www.acunetix.com</a><br> > Acunetix Web Security Blog - <a \
href="http://www.acunetix.com/blog" target="_blank">http://www.acunetix.com/blog</a><br> > \
Follow us on Twitter - <a href="http://www.twitter.com/acunetix" \
target="_blank">http://www.twitter.com/acunetix</a><br> ><br>
> _______________________________________________<br>
> Full-Disclosure - We believe in it.<br>
> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br> > \
Hosted and sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><br> ><br>
><br>
><br>
> _______________________________________________<br>
> Full-Disclosure - We believe in it.<br>
> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br> > Hosted \
and sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><br> ><br>
><br>
><br>
><br>
> --<br>
> Regards<br>
> Aditya Balapure<br>
><br>
><br>
<br>
--<br>
Bogdan Calin - bogdan [at] <a href="http://acunetix.com" target="_blank">acunetix.com</a><br>
CTO<br>
Acunetix Ltd. - <a href="http://www.acunetix.com" \
target="_blank">http://www.acunetix.com</a><br> Acunetix Web Security Blog - <a \
href="http://www.acunetix.com/blog" target="_blank">http://www.acunetix.com/blog</a><br> Follow \
us on Twitter - <a href="http://www.twitter.com/acunetix" \
target="_blank">http://www.twitter.com/acunetix</a><br> </div></div></blockquote></div><br><br \
clear="all"><div><br></div>-- <br>Regards<div>Aditya Balapure</div><div><br></div><br> </div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic