######################################
Google Services Notifier Chrome extension XSS/CSRF
extension:https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie
advisore:http://lostmon.blogspot.com/2010/06/google-services-notifier-chrome.html
Exploit available:yes vendor notify : NO
#######################################
So in this case "Notifier for Google Wave Chrome"
has a flaw that allow attackers to make XSS style attacks.
All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..
if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/dmgbflokapnkfnegeigclohhplnflgie
109 users have instaled it (WoW)
############
explanation
############
Google Services Notifier allows users to view wen they have a new wave and
view a preview of it ....
"Keep you update with Google services like Google Mail,Blogger,Reader,YouTube,
Google Docs, Google Wave etc. More services will be added soon."
If a attacker compose a new mail with html or javascript code in
subject & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of mail.
So for exploit we need to compose a "special" mail
for example if we put directly in the mail subject a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
in the two cases the alert is executed wen try to preview the mail
with the extension :) it is executed in context location.href value is
"about:blank"
For example send a mail With a logout acction in google wave in body
"><iframe src="https://wave.google.com/wave/logout"></iframe>
it closes the sesion on google wave , this is a CSRF.
######################€nd#################################
.
Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Google Services Notifier Chrome extension XSS/CSRF
Friday, June 18, 2010
Categories:
browsers,
bug,
CSRF,
extensions,
security,
vulnerability,
XSS
Notifier for Google Wave Chrome extension XSS/CSRF
######################################
Notifier for Google Wave Chrome extension XSS/CSRF
extension:https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb
advisore:http://lostmon.blogspot.com/2010/06/notifier-for-google-wave-chrome.html
Exploit available:yes vendor notify : NO
#######################################
So in this case "Notifier for Google Wave Chrome"
has a flaw that allow attackers to make XSS style attacks.
All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..
if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb
56,542 users have instaled it (WoW)
############
explanation
############
Notifier for Google Wave allows users to view wen they have a new wave and
view a preview of it ....
If a attacker compose a new wave with html or javascript code in
body & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of wave.
So for exploit we need to compose a "special" wave
for example if we put directly in the mail body a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
in the two cases the alert is executed wen try to preview the wave
with the extension :) it is executed in context location.href value is
"about:blank"
For example send a wave With a logout acction in google wave in body
"><iframe src="https://wave.google.com/wave/logout"></iframe>
it closes the sesion on google wave , this is a CSRF.
######################€nd#################################
.
Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Notifier for Google Wave Chrome extension XSS/CSRF
extension:https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb
advisore:http://lostmon.blogspot.com/2010/06/notifier-for-google-wave-chrome.html
Exploit available:yes vendor notify : NO
#######################################
So in this case "Notifier for Google Wave Chrome"
has a flaw that allow attackers to make XSS style attacks.
All extensions runs over his origin and no have way to altered data from extension
or get sensitive data like , email account or password etc..
if we look how many users have instaled this extension =>
https://chrome.google.com/extensions/detail/aphncaagnlabkeipnbbicmcahnamibgb
56,542 users have instaled it (WoW)
############
explanation
############
Notifier for Google Wave allows users to view wen they have a new wave and
view a preview of it ....
If a attacker compose a new wave with html or javascript code in
body & send it to victim´s the code is executed wen Victim´s click in the
extension to view a preview of wave.
So for exploit we need to compose a "special" wave
for example if we put directly in the mail body a iframe like
"><iframe src="javascript:alert(location.href);"></iframe>
in the two cases the alert is executed wen try to preview the wave
with the extension :) it is executed in context location.href value is
"about:blank"
For example send a wave With a logout acction in google wave in body
"><iframe src="https://wave.google.com/wave/logout"></iframe>
it closes the sesion on google wave , this is a CSRF.
######################€nd#################################
.
Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Categories:
browsers,
bug,
CSRF,
extensions,
security,
vulnerability,
XSS
Subscribe to:
Posts (Atom)