- You need to decide whether you’d prefer to have a super-sharp screen or killer battery life. The Lenovo Yoga 920 lasts hours longer than the HP, and performs better in benchmarks and games with the same CPU (although if this is thanks to the Meltdown vulnerability, the playing field is effectively levelled).
, well we have collected a lot of data from the field directly and from many other blogs so very complete his discussion here about Maret 2015, on this blog we also have to provide the latest automotive information from all the brands associated with the automobile. ok please continue reading:
Here I have find a vulnerability in the most secure Gmail from Google.
IT IS STILL UNPATCHED.SO USE IT FOR ONLY EDUCATIONAL PURPOSES.DON'T MAKE IT TO THE BLACK SIDE OF YOUR THOUGHTS.
First of all,I have reported this bug on
6/11/2014.
Here below is the raw report that i have submitted to google.
6/11/2014--------------------------------------------------------------------------------------------------------------------------
Hey
Google Security,
I have named this bug as "Gmail's alert box as attacker's playground".
The affected views of Gmail are mobile and desktop view,(Both Non Javascript)
Desktop -
https://mail.google.com/u/0/hMobile -
https://mail.google.com/u/0/xAn attacker have the full control over what message can be inside the Gmail's standard notification box.And he can also able to interrupt the whole Gmail Service in the victim's browser,which will return 500 Internal Server Error from the google server.And he can also uninterrupt or unblock the gmail service that have been blocked previously.
And the main point here is,The whole process can be done in
realtime and the attacker can be in any
location(Remote) to control the victim's browser.
Here below goes my reproductive section.
The affected URL is,
https://mail.google.com/mail/u/0/h/1r492fk6i9hhd/?v=prfap&bu=pfwd&scd=1&idmc=wf<Here goes the crafted message>%3E.
This above URL will set a cookie
GMAIL_NOTI and redirect to Gmail with the message in the Gmail's standard notification box.
Just replace the crafted message section with a payload like this "<<<".
This will set a
GMAIL_NOTI cookie.After the redirection.The server will return with a 500 internal server error.
Until the
GMAIL_NOTI cookie is cleared out.
How it useful,make an attacker control the whole process remotely?It goes below in
"
How an attacker can use this against a victim" section.
How an attacker can use this against a victim??---------------------------------------------------------
First of all i already mentioned that this is a lack of
CSRF protection.So iam pointing to the main points only as described below
3 main operation an attacker can able to do against a victim in remote,
A)Interrupt whole gmail service in victim's browser,
B)And also can uninterrupt or unlock the previously interrupted gmail service,
C)The main annoying point is that he can put dynamic text based ads or phishing messages in the Gmail's standard alert box,
And once more mentioning that all operation controlled by the attacker goes in
realtime and from a
remote location.
STEPS :-
HOW AN ATTACKER CAN USE THIS BUG---------------------------------------------------------------------
A)As we already know this is kind of
CSRF vulnerability,So first of all the victim need to be served with attacker's page.
B)After victim opens the attacker's page and in a new tab he can open the Gmail and make the process as it is...
C)Now the attacker have full control over the alert box of gmail and can interrupt and uninterrupt whole gmail service in the victim's browser.
So here below goes the brief,
REAL LIFE SCENARIO
-------------------------------
A)Victim is shared with an attacker's page containing the script which is executed in a timely manner of 5 seconds repeatedly.
Note :- Sharing process is vast and the content of page can be anything that attracts victim and make the page open until his browsing session ends.And the URLs and techniques used here is only for explaining the bug and more for an attack against a real user may vary,its upto the thoughts.
Explaination of the execution of code in the attacker's page.
------------------------------------------------------------------------
The URL gonna be shared with the victim is.
https://googledrive.com/host/0BybXBiqiGLDhNXpqTVg5ZlpCaGs/googleRemoteControl.htmlWhen he/she made open the above URL it will just give a blank page.But the hidden script will get executed.And i know you techie guyz can just catch up my javascript code in my above mentioned page.So iam not getting deeper.Here below goes the steps script will do.
1)First of all it will send a request to
https://mail.google.com/mail/u/0/h/17qgf1e1195tm/?v=prfap&bu=pfwd&scd=1&idmc=wfHey+there+whatsup+iam+shihab+over+here%3Eembedded in a script element.
2)It starts getting into a timer with an interval of 5000ms ie,each 5 second the script will execute repeatedly in the background.
It just grabs the content of the text file "ssoft.txt" in the current directory of the attacker's page.That is,it contains a JSON string which instructs the page what to do with.The example of the JSON string goes below.
[
{
"message": "This is the example of Advertisement 1.Can be also some phishing.Yours",
"payload": "interruptGmail"
},
{
"message": "This is the example of Advertisement 2.Can be also some phishing.Yours"
},
{
"message": "This is the example of Advertisement 3.Can be also some phishing.Yours"
}
]
NOTE :- The text file "ssoft.txt" is modified in the realtime from anywhere by the attacker.So that he can post text based ads as like above.And also he can make whole Gmail service interrupted.Will be explained below.And i here use googledrive sync application in windows.So that i can modify the text file "ssoft.txt" realtime.So that the googledrive will automatically makes the file synchronised to the servers.
3)The script then,checks 0th index of JSON parsed javascript array(ie,as per the JSON string above it will return an array of 3 elements).And check for the "
payload" attribute of the array(0th index).
Then there are two cases
a)If the content of payload matches to the string "
interruptGmail" then it will create a dynamic script element and assign the src attribute of the script to the URL below
https://mail.google.com/mail/u/0/h/17qgf1e1195tm/?v=prfap&bu=pfwd&scd=1&idmc=wf%3c%3eIt will block the whole Gmail Service with 500 error(already described above).
b)If the content does'nt match with the string "interruptGmail" then it will create a dynamic script element and assign the src attribute of the script to the URL below
https://mail.google.com/mail/u/0/h/17qgf1e1195tm/?v=prfap&bu=pfwd&scd=1&idmc=wf<Message>%3EThe message section will contains one of the string from the JSON parsed array.And the index of the array is chosen randomly.So the attacker can make it show random ads from the list.
If any previously blocked or interrupted Gmail(500 error) is cleared out.And the randomly chosen ad or phishing message that is up to the attacker,is just rendered in the Gmail's alert box.
So thats all.With this process an attacker have different kind of ways to exploit this using as phising or posting ads,etc because it is rendered in the standard Gmail's notification box.
Its upto your thoughts.
And if missed anything or anything that you can't understand just reply me.
And if you guys wanna test it in realtime.I have shared the "ssoft.txt" file and i made it to be editable.
https://drive.google.com/file/d/0BybXBiqiGLDhSDdwR3Z0UGhnNTA/view?usp=sharing--SHIHAB
----------------------------------------------------------
I got a response on
7/11/2014
----------------------------------------------------------
Hey - Just letting you know that your report was triaged and we're currently looking into it. You should receive a response in a couple of days, but it might take up to a week if we're particularly busy.
Thanks,Google Security Team----------------------------------------------------------
After two days,I got a response back on 10/11/2014
----------------------------------------------------------
Hey,
Thanks for your bug report. We've taken a look at your submission and can confirm this is not a security vulnerability. To be able to start an attack, the attacker would have to know the secret value in the URL (the one after /u/0/h/ ). Have you been able to obtain this value without already having access to the victim account?
Regards,
Krzysztof, Google Security Team
Krzysztof,the member of Google Security Team,Told me that it is not a security vulnerability :-).And with a big question
Have you been able to obtain this value without already having access to the victim account?
Sorry Krzysztof,I don't want to obtain this value because it does'nt matter.:),Here below,Why?
-------------------------------------------------------
Its on the same day 10/11/2014,i have replied him why?
---------------------------------------------------------------------
-------------------------------------------------------------------------
After that i have never got a response for 5 days,on the 6th day i got a response on 16/11/2014.
-----------------------------------------------------------
Hi,
Thanks for your report. This report looks like a duplicate of another case 5-3148000005303 that is also reported by you, so I'll close this one as duplicate and process the case 5-3148000005303.
Regards,
Quan, Google Security Team.
It is just a case of duplication,that i have accidentally submitted the same report twice with different emails.
--------------------------------------------------------------------------
So i tried to reopen the case 5-3148000005303 as said by Quan,Its on the same day 16/11/2014.He replied me by asking a question.
Hi,
Thanks for your report. Whenever I click the following link:
https://mail.google.com/mail/u/0/h/anything/?v=prfap&bu=pfwd&scd=1&idmc=wfanotheranything%3E, nothing happens. It's only redirected to "
Forwarding and POP/IMAP" when I copy/paste the link in the browser, so I'm not sure what is the attack's scenario. You mention that you have a kind of Proof of Concept:googleRemoteControl.html. Could you please make it work such that whenever I access it then I see the repeated alerts in my Gmail testing account?
Regards,
Quan, Google Security Team.
--------------------------------------------------------------------------
Are you getting bored ITS A BIG NO iam thinking so,because its an interesting topic about security and more interesting about our conversation
Its on the next day,i have clarified him my stand on 17/11/2014
--------------------------------------------------------------------------
Hey Quan,Sorry for the long delay,replying you.As you have said whenever you follow the link by clicking or copypasting,nothing happens over in your browser.Ok i will get you into deeper.I am mentioning the alert box as GMAIL'sstandard notification box(in which all alerts are shown that means ayellow box with the text in it and not the javascript alert box).Thepicture is provided below to better understanding.So after you followed the link:https://mail.google.com/mail/u/0/h/anything/?v=prfap&bu=pfwd&scd=1&idmc=wfanotheranything%3E,The message will be shown like in the below picture.https://googledrive.com/host/0BybXBiqiGLDhNXpqTVg5ZlpCaGs/googCSRF.pngAnd you have asked me to provide the POC googleRemoteControl.html.It seems you have'nt yet read my report carefully,because i havealready mentioned the link for that.Better putting once more,Jz follow this URL by clicking it below.https://googledrive.com/host/0BybXBiqiGLDhNXpqTVg5ZlpCaGs/googleRemoteControl.htmlAnd follow the simple instruction over there.And at last you will encounter that gmail's notification box is filledwith ads that posted by the attacker through his page.And may be alsosome phishing because the message is in the heart of the GMAIL's page.And i already mentioned in my report that.That the attacker's pagereads instructions and ads or phishing messages from a file called"ssoft.txt" in the same attacker's server.So that the attacker can have full access to the alert box of thevictim and also he also have the option to interrupt the whole gmailservice in the victim's browser and also uninterrupt.NOTE :- The victim can't ever access non javascript of both mobile anddesktop GMAIL at the interrupted state.But he have access to modern orlatest UI.(/u/0/ or /mu/mp).But most users facing slowing internetconnection will move onto that.(Oh its not the topic here rightnow).Sothe two main advantage of the attacker,he could be REMOTE and REALTIME.And if you wanna know more,Jz read my report carefully once more.Ihave provided all in that.also the link for ssoft.txt and how to editinstructions.NOTE :- If you can't access or edit ssoft.txt directly.Its not aproblem.Because it is provided jz for demonstration.And you canreproduce it with whatever way like you want.Its upto your thoughts.Keep in touch,---SHIHAB :)
--------------------------------------------------------------------
ATLAST ON THE SAME DAY 17/11/2014 I GOT A GOOD RESPONSE FROM QUAN.
--------------------------------------------------------------------
Hi spk674,
Nice catch! Thanks for your clarification. I’ve filed a bug and will update you once we’ve got more information.
Regards,
Quan, Google Security Team
--------------------------------------------------------------------
Some conversations have gone between the 17/11/2014 to 20/11/2014.I don't wanna bore you my precious visitors reading those also.At last i got awarded on the day 20/11/2014 by Kevin(Google Security).I had my listed on just in the Honorable Mention page.
May i ask is it fare.Is it way the Google handling vulnerabilities.And just got my name in the Honorable Mentions page,not even with 100$ penny :).You visitors wanna make a decision.I have told my full story from 6/11/2014 to 20/11/2014.
And do you think iam faking you guys.
NO NEVER EVER
Just move on to the URL below and Search for ShihabSoft or with revealedtricks4u.blogspot.com
http://www.google.co.in/about/appsecurity/hall-of-fame/distinction/
You can find my name on there,Hope you understand me.Thank you very much for reading this whole post.Any doubts or queries just express it on comments.I am here to assist you.
:)SHIHAB