Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Who's got it? Who's giving it away? How to protect your privacy and steal it from other people. For intellectual privacy, personal privacy, and blackhats alike... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Blogger.com doesn't care about security
Posted by: christ1an
Date: January 20, 2007 12:13PM

Hello,

Let me start with a quotation:
Quote

When you report an XSS security problem in a web 2.0 site you usually assume it will get fixed as soon as possible. Obviously the guys at del.icio.us think different...
http://blog.php-security.org/archives/60-del.icio.us-doesnt-care-about-security.html
Well, obviously the guys at blogger.com think different too.

Nearly three weeks ago I reported a XSS flaw in the feed plugin, which I already mentioned here. Finally, after I mailed two times, I got a reply in which was said that they would take action accordingly. I admit that hacking a blog is more or less senseless (though the existance of the possibility itself is quite interesting) but in the case of Google it is definitely dangerous. Imagine someone gets your cookies through the blog flaw, he'll not only have access to your weblog administration but nearly to all other google features like Gmail, Analytics, Calendar, Picasa and whatsoever.

Apparently the Google guys have so much to do with developing new not well tested and unsecure features that they have no time to fix issues which are open for months. I'm currently thinking about another XSS vulnerability on Blogger, as eyeced pointed out in this thread: http://sla.ckers.org/forum/read.php?4,5496 ; and I am not even searching for bugs.

Comments?

Regards, Chris

Options: ReplyQuote
Re: Blogger.com doesn't care about security
Posted by: kuza55
Date: January 20, 2007 05:29PM

I think they don't care because the XSS is on a blogspot domain, and AFAIK blogspot doesn't use any cookies or any method of identifying users.

This might be different on private blogs, but I haven't seen any so I'm not 100% sure.

So even though it is in a google service, its been segregated in such a way that an XSS hole in a blog will not affect any login credentials - the worst thing you can do is add/edit content.

Options: ReplyQuote
Re: Blogger.com doesn't care about security
Posted by: christ1an
Date: January 21, 2007 04:53AM

I don't think so but I'm going to check this right now and blog about it. Hopefully you are right.

By the way:
Firefox shows me the same "SID" (it's not really a session id but rather a long key) in the blogger.com file as in the google.com file. We'll see what can be done with it.

Edit:
Apparently you can't do anything like cookie stealing through these XSS flaws. That means up to this point I was wrong. They do use cookies to identify users but these cookies are on blooger.com, not on the subdomains which are vulnerable to XSS.

Nevertheless it is still an unacceptable behaviour.



Edited 1 time(s). Last edit at 01/21/2007 06:23AM by christ1an.

Options: ReplyQuote
Re: Blogger.com doesn't care about security
Posted by: christ1an
Date: February 09, 2007 07:44AM

Well, time to correct my previous statement. While I was a bit bored yesterday, I decided to look again at this blogspot issue. Of course it's not fixed yet.

It turned out that it definitely is possible to get full access to a users blog administration by the feed flaw as it is possible to steal the cookie on the blogger.com domain. I explained this here: http://christ1an.blogspot.com/2007/01/blogspot-bugreports.html , for those who don't understand german, just look at the link in the passage next to the last and you'll probably get what I'm pointing at.

(I just didn't want to leave this thread incomplete.)



Edited 1 time(s). Last edit at 02/09/2007 01:00PM by christ1an.

Options: ReplyQuote
Re: Blogger.com doesn't care about security
Posted by: id
Date: February 09, 2007 12:01PM

Thanks for the update christ1an.

-id

Options: ReplyQuote
Re: Blogger.com doesn't care about security
Posted by: hackathology
Date: March 17, 2007 07:35AM

sometimes i just don't understand why big companies see XSS as a small prob. They must be fully compromised to see the degree of damage.

http://hackathology.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.