How easy is it to break into your Gmail account? How about Yahoo! Or Windows Live?
If you provided a truthful answer to the security question during signup, it is probably quite easy to hijack your account, with just a little bit of a research.

Take a look at the Yahoo! Security Questions:

Are these security questions?

Anyone that knows my address can easily figure out the name of my first school or my high school mascot. All of my neighbors, family and friends know both my dog’s name and my dad’s middle name, and everybody in the world knows I just LOVE the Lakers. As for my wife and me, the people who attended our wedding had the chance to hear about it in the ceremony - in case you couldn’t make it, we met on a roof of a bus, in Ladakh, India in 1994…

The fact that the answer to each of the security questions above is relatively easy to find out, makes them a security vulnerability in my Yahoo! account.
By letting me make a security key based on the name of my first school, Yahoo! actually puts me at risk, allowing anyone that knows where I live to hijack my account. It’s like saying “We have the greatest lock to protect your house. Now, why don’t we hide the key under the mat”.

Windows Live is pretty much the same as Yahoo!:

Gmail is a little bit more sophisticated with one major difference:

Gmail is the only one of these three that allows you to choose your own question.
By letting you do that, Gmail asks “which question only you can answer?” I think that most people might still come up with “Who is my favorite singer”, “What is my date of birth” or “My dog’s name”.
However, that isn’t a security vulnerability encouraged by Google. If they give you the tools and you fail to use them, it’s not their fault.

So, what can we do about it?
If you can write your own question, that would be the best. If not, choose the question about the name of your first school and put your first phone number as the answer. That’s what I did!

Got better ideas? Share them with us!

Ever wondered what name is behind some obscure gmail address? Maybe your preferred gmail address was taken and you’re wondering who took it?
Here’s a cute vulnerability in the gmail system that comes from the strong tie-ins between gmail, the google calendar and all the other services.

How to do it:

- Go to the ’share this calendar’ tab

- Enter the email address in the ‘person’ box

- Click ‘add person’ and ’save’

- When you return to this screen you will see the first and last name along with the gmail address

Screenshots:

I always wondered who was behind admin@gmail.com

Oh, I guess they figured people like me would be interested…

If you are getting personalized emails from spammers to your gmail account, here’s an idea on how they got your name.

For those not familiar with RBL, the term means Real-time Blackhole List, it is mainly used for SPAM fighting. I have recently started playing around with Google as an RBL engine, the idea is that if the search term I use hits too many hits it is likely to be SPAM

The danger of course is that the term could be simply popular - but the trick here is that I’m using something very special as the search term - the IP address of the poster.

The IP address shouldn’t be popular; except for a few rare cases, IP addresses listed on Google are directly related to SPAM - either they are listed under wiki-like sites as being banned, or they appear as mass-comment posters. Simply put, if your IP is listed in Google you must be up to no good.

How good is this method? Nothing is bullet proof, but if you have a suspicion of something being SPAM, put the IP in Google and see there are hits; Almost all the comment SPAM I filtered out this month had more than 100 hits in Google, all non-SPAM had either 0 or below the 10 hits mark.

BTW: A good advantage of Google is that it is quick - a few seconds to get a respond - a disadvantage is that you cannot just “hammer” them with searches or they will block you - maybe someone can pickup this idea and make an RBL from IP addresses using Google as a back-engine.

Howdy ho from Brazil, folks.

Remember that vulnerability in Gmail filter feature reported by Petko D. Petkov in September? Google fixed this vulnerability a few days after it was disclosed, but something was missing: end users should be noticed about that.
Early this week I was made aware of someone who was hit hard by this vuln months after it was fixed. David Airey’s domain was hijacked and this vulnerability helped on that.

But Google fixed that, what’s the problem? They should have noticed all users about that. New filters could not be injected anymore after the fix, but filters injected before the fix were still there. A simple “please check you filters” Web two-dot-oh notice would be enough, only if new filters were added in the days between the vuln was disclosed and the fix. End users don’t read the same blogs, lists and security resources that we read. Users are not supposed to know the nuts and bolts of the vulnerability, but they should know what manual actions should be taken.
I don’t know about you, but I thought about some solutions for that:

1. Anything under settings should require password, in every change. I guess Yahoo! Mail works like that;
2. Filters that forward messages should be handled in a different way, maybe under “Forwarding and POP/IMAP” tab.

Another simple mitigation action that people should use for any online service is something like a privilege separation (I don’t have a better name for that). Use different accounts for different purposes, have a master account and child accounts that forward every message to the master account.

If you are a moderator in a Yahoo! Group don’t use your main personal profile for group management, for example. Reducing the lifetime of the session to 15 minutes and log in only on trustworthy networks are other paranoid measures that could be considered. If there’s a targeted attack against your account probably your less critical account will be affected.
Do you have any insight about this Gmail vuln? Comment.
More info:

• Google GMail E-mail Hijack Technique (GNUCITIZEN 09/25/07)
  
• New cracks in Google mail (The Register 09/26/07)
• Google Fixes Gmail Cross-site Request Forgery Vulnerability (Netcraft 09/30/07)
• WARNING: Google’s GMail security failure leaves my business sabotaged (David Airey Blog 12/24/07)

An Orkut based virus/worm appears to be on the loose, it propagates by posting notes on people’s scrapbook. So chances are that if you got a new scrapbook item on your long-unused Orkut it is because the worm has infected one of your friends there.

The virus/worm utilizes javascript code to propagate. The source of it can be found here: hxxp://files.myopera.com/virusdoorkut/files/virus.js
Update: Google apparently is actively deleting items from the scrapbook of people that were infected and that have infected others.

Update 2: More details can be found here: http://antrix.net/journal/techtalk/orkut_xss.html

According to several Israeli newspapers google has exposed the IP address of a blogger that was using the “blogger” service.

You might think he was posting instructions on how to prepare a nuclear bomb or the secret Coca Cola formula. It’s much much worse. He was defaming officials in the “Sha’arei Tikva” municipality, which most Israelis can’t even place on a map, and needless to say have little to no interest on the intrigues and political wars there.

My point is, there is no benefit to anyone for exposing the blogger’s IP except to let these officials take him to court, and while google gave a weak legal fight, the decision was reached by out of court settlement, which means they didn’t even try to go the distance in order to block this request.

I think the main issue is not the blogger’s right for anonymity; it’s more about google’s unclear policy on what they do with the information they have. We know google save search data. We know that they have access to deleted emails on gmail (for who knows how long). We don’t know what they do on google talk, but we can guess. What we already know is scary; the fact that we don’t know the rest is even scarier.
It’s clear to everyone that google has information about us and our private life more than any other Internet entity (we had a securitoon about it a while back). Now it’s clear they are playing loose cannon with that information.

Update: Someone identifying herself as “google employee” writes in the talkback comments to the article that google only handed the IP, but the ISP gave the complete identifying information from that IP, and that the press’s picking on google is unjustified. If that google worker is reading this, feel free to email me your version of the story and it will be posted here anonymously (or just leave a comment below).

According to the report of pdp several Web sites supporting open redircts are vulnerable to recent JAR: protocol vulnerability.

More information about these XSS vulnerabilities (hey, these are serious now!) is available at GNUCITIZEN entry here:

Severe XSS in Google and Others due to JAR protocol issues

Update 26th Nov: The author of Beford Blog has shared information that his “jarjarbinks.htm” PoC type link still works - when entering it manually to browser’s address bar. Google is still affected to JAR flaw.

Mr. Petko D. ‘Acrobat-Gmail’ Petkov has reported about very interesting Citrix issue:

When querying for public .ICA files (Independent Computing Architecture) you can do serious things in the remote system with this information. Opening Cmd.exe and listing the file system works etc. etc.

Report here and YouTube video of 1:28min here.
Googledork and Yahoodork(!) included, it appears there are many .mil and .gov sites. And hospitals too.
A real life example: A Finnish high school in Jyväskylä town fixed its problem in less than 20 minutes after receiving my e-mail this morning. Fine!

The good news are that Google has fixed a serious cross-site request forgery vulnerability in Gmail.

The exploitation technique was interesting - modifying Gmail’s Forwarding settings with JavaScript.

US-CERT Vulnerability Note VU#571584 is located here.

First this week started with news of three serious vulnerabilities in Google’s services and products - via hacademix.net post GoogHOle (XSS pwning GMail, Picasa and almost 200K customers).

But it appears information was public on Sat 22nd Sep already.

The report says Google security team was contacted before the release process. The exact date is not known, however.

Google has introduced the tool recently via its Online Security Blog.

The tool is released under GNU General Public License v2.

The home of the new project is here: code.google.com/p/flayer/

The visitors of WOOT ‘07 conference are aware already.

URLs in this post should be considered as unsafe.

Fake sites and SE poisoning are nothing new. The use of blogs for this is far from new, either. Thousands of new fake blogs pop up every day on blogspot, livejournal, etc.

Web spam is a subject I have written about in the past, and some of you may be familiar with it regardless of me (no kidding), especially if you run a blog yourself.

A new fake blog which looks like blogspot, but has its own “domain”, recently popped up in a Google alert on my name.

I get hits on these fake pages all the time as my name is a key word used by some of these spammers to grab attention to their pages.
This time around they really over-did it.

The page has a blogspot layout, and continues with ads to pornographic sites or malware (is there any difference anymore?)

Then the site shows the YouTube video which can be found under my name.
Following that is a post I made to a mailing list recently (poorly formatted).
Then we have a few pictures of girls, linking once more either to pornographic sites or malware drive-by sites (if there is a difference, again).

They finish the page off by adding comments, which are actually some old securiteam posts by me.

Heck, it looks fake, but it is obvious the bad guys are investing more in their fake web pages. Their auto-creation tools seem to be getting more impressive, and I believe we will see much improved believable sites, soon.

Google Blog Search displays this site as (nasty words replaced with beep):

Gadi Evron
2 Sep 2007
Gangbeep facial asian amateurs, bang bus jessica hardcore pictures bang your head, asian virgins.asts. Teen Cherry Action - Nice brunette teen beeped hard on the bed and getting a beepy beepshot. Beep beeping boy beep teen legs, …
Untitled - h ttp://n ewadult.celeberia.com/

URL:
h ttp://n ewadult.celeberia.com/Gadi-Evron

Again, I am unsure if these URLs are safe.

For those of you wondering if these web pages mean anything to the bad guys, the answer is absolutely yes. Search engine ranking, indexing, etc. helps them advance their own sites (or their clients’). Then of course, there is advertising and Google ads.
It works. And the advertising space on unrelated key words is a plus.

The concept is very similar to comment spam. Comment spam may not contribute to SE ranking anymore due to the nofollow tag attached to links in comments, but these get indexed and that’s all the bad guys care about. Nofollow is crap, and what shows up when you search is what matters.

As an example of how these things work, in a recent blog post of mine a buddy left a comment (see here http://gevron.livejournal.com/8859.html for the example).

He left a URL for his legitimate Python/math/music/origami blog in his comment, and now when you search for his blog you find my post placed in the 4th place with the title ‘A Jew in a German Camp’ (about the CCC Camp in Germany). He is not pleased, but it is obvious how the bad guys abuse this, and infect millions of computers just because their owners surf the net.

Gadi Evron,
ge@linuxbox.org.

In a recent blog entry, Google announced the production of a 4.5 minute movie about search privacy in Google. Let me quote the presenter, Maile Ohye:

“As you can see, logs don’t contain any truly personal information about you.” - Maile

I strongly suggest you watch the clip and have your own opinion. Below is my own:

What Maile neglects to mention is that Google keeps all the queries you submit together, correlated by your cookie, including the user you use to login to Google, the links you clicked on in search results, any site you visited with a Google ad, every address you mapped, every product you searched, every video you watched, etc. which makes up a nice profile of your behavior online.

If you slip - once - and search for something which is personal - a name of someone you know, your home address in Google maps, a nearby store, your email address - and it has that information in your profile too. If you use a Google account, it doesn’t even matter if you switch computers or expire the cookies.

I use Google a lot, I have a Google account and if you look it up you’ll probably know pretty much most of my interests and generally a lot about me. I am aware of the fact that this is so. It doesn’t stop me from using Google’s services - I like using Google’s services, and I know that one of the things that make them of value to me is the fact that Google knows a lot about me and what I do and where I go and what I care about. I don’t care, because I do not search with the same account, browser, cookie or IP address for things I don’t want Google to know about. How many people know enough about the Internet to take such measures? Not many, I guess.

So back to the clip. The video clip is market-speak (doublespeak? duckspeak?). It is marketing privacy as a differentiator for Google’s services, and portrays Google’s privacy practices as benign. In that sense, it serves its purpose. The problem that I can see is that privacy doesn’t need a lot of marketing. I don’t think you really need to market your privacy practices. The way I see it, the world is made out of 3 kinds of people:

1. Those who don’t care about privacy, they just graze around where the grazing is good, and are pretty much oblivious to such concerns. For these people, if you make an appealing product (not even a good product) and market it properly, and make it cool, they will come. Even if you trample their privacy, they will still come, because they don’t care. Reference: iPod. OMG I’m using a MacBook Pro now. Busted, I guess. People from this group wouldn’t care much, even if you wouldn’t have a privacy policy in place. Google already won them over, making Google a household name. Want to increase your market share here? Add a scroll wheel. Oh wait, that’s so early 2000s. add a touch screen.

2. Those who like their privacy but don’t really know much about privacy or privacy technology. These people are the to an extent conspiracy theorists. “Google keeps my email for good so they must be trying to control my mind! We’re dooooomed! Run away, run away!”. They are, as far as I can tell, a loud but small minority. Some times they’re so loud that it makes people from group #1 look around from their pasture, cock their head to one side, and, well, keep on grazing. Marketing privacy to these people will most likely just compound the conspiracy theories, because you wouldn’t do it unless you have something to hide. These people might just as well use Google’s services and perform some token ceremony to make sure that Google isn’t watching them, like expire their cookies or perhaps even clean their pages with greasemonkey. Oh well. I say to Google - let them be. There’s little you can do about it.

3. These are the people who are aware of the implications of using technology and either come to terms with it, or don’t play. I know some people who don’t play, and I can’t blame them. I personally am less hard-core, perhaps, because I agree to make a lot of my life more open to scrutiny in order to reap the benefits. It’s a risk, a managed risk. If there is some way this might come back to haunt me despite the precautions I’ve taken, well, I guess I’ll know it eventually, and I can only blame myself.

Have a doubleplus good day.

Disclaimer: All of the opinions presented here are my own and do not necessarily reflect the opinions of any entity I may be affiliated with.

Yeah, I hate sensational titles with little to no substance just like you do. But I guess at google corporate people are so used to dealing with titles in their search result and adsense products they forgot somebody has to write the content behind the “title” tag.

The sky is falling! So says google in the most content-less article I’ve read since Paris Hilton was released from prison. We can’t tell you how, or why, or how to fix it, or any really useful information besides the fact it is a problem in Java. But we’d really want you to know there’s a problem, or else we wouldn’t have released this information from the leak-proof google security team.

Is the vulnerability even real? Well, does it matter? Disclosing a vulnerability without details is the equivalent of the sound of one hand clapping (here’s an explanation for all you google guys. See, unlike you I try to explain myself).

By the way, I stumbled today on a vulnerability in the google search engine that allows me to take over every browser who visits google.com. Or maybe I didn’t. But feel free to tell zdnet about this phenomenal discovery. That, and my foolproof method to sleep with any woman on the first date (which I won’t disclose due to clear and imminent threat to the human race).

The MOSEB campaign (Month of Search Engine Bugs) shared a good example of dangers of Googledorks this week.

When using the search string

site:youtube.com “clicks from ftp @” we’ll see 257 results.

When googling

“clicks from ftp” + filter=0, in turn, we will get 508 results.

A combination of an XSS in Google Group web site, with a “feature” of Google Gmail integration with Google Groups allows an attacker that can trick you into click on a specially crafted URL to steal:

• All Contacts you’ve ever mailed (Name and Email address)
• Your Gmail authentication token

For more details go to this page.
(NOTE The vulnerability still works as of 2007-03-15 16:12 GMT+0)