In doing some crossdomain.xml Flash research I noticed that YouTube’s policy file trusted *.google.com. They quickly removed it after I privately disclosed the following security flaw to Google.
My idea was if an attacker could upload an arbitrary Flash movie (SWF) anywhere on the google.com domain they could leverage that trust. So if an authenticated YouTube user visited an attacker-controlled page anywhere on the Web, the attacker could SRC in the google.com hosted SWF, and use it compromise the victims YouTube username, email address, first/last name, viewing history, and even comment or post/delete videos.
Billy Rios blogged in the past about being able to upload arbitrary files to google.com, but the only place I could locate that allowed SWFs when I checked was Gmail. Maybe others?
Anyway, I emailed a SWF attachment to a Gmail account and located the download URL. Perfect, but the next problem was even with the correct URL the victim is not authorized to view the file unless they are authenticated on THAT particular Gmail account. This is where the login-CSRF / identity misbinding trick the Stanford guys wrote up came in quite handy.
Here’s the step by step.
1) Attacker emails a special SWF to a Gmail account they control and locates the attachment download URL on google.com.
2) Logged-in YouTube user visits an attacker controlled page
3) Attacker forces their victim to authenticate to the attackers Gmail account (identify misbinding / CSRF).
4) Attacker embeds SWF from the Gmail account into the web page
5) Attacker now has read write access on YouTube.com as the victim's account.
Video:
Clever eh? :) I’m sure the Google/YouTube aren’t the only places where this particular scenario is still possible.
Many thanks to Rich Cannings and Chris Evans from the Google Security team who sheparded this along!
11 comments:
very nice discovery man.
Been there done that, got the tshirt will be presenting lots of gmail 0day at Power of Community :p
Speaking of the login trick, why do I never get any credit for anything: http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html (I even spent a good portion of time explaining it at 24c3)
P.S. Damn Stanford team getting my gadgets 0day patched and not even knowing how to fully exploit it.
P.P.S Cool find though :) (Sorry, let my bitterness get in the way of what I meant to say yet again), I honestly hadn't even considered using an essentially logged-out XSF (Stefano's term) to abuse trust policies, thanks for the info :D
Sweet! I talked about using CSRF to login to someone's gmail acct and pull an attachment at DEFCON 15(Biting the Hand That Feeds You), but I wasn't creative enough to pull off an attack like this! Great job and way to put the peices together!
Cool shit man!
Rios and I found some stuff similar to this that we talked about at DEFCON 15 (Biting the Hand That Feeds You), but this is a real interesting vector you leveraged there. It's also fairly similar to other content ownership issues that have been discussed, really it's things like this that led to the ideas for the GIFAR stuff.
I think you and I talked about how PDP and I talked about the GIFAR thing and realized we had went slightly different directions with the same thing. I find it real interesting how often people find their ideas intersecting on this stuff. We didn't get time to have our meeting at Vegas, but we should get a handful of minds together and talk about some of this stuff in the future, see what comes out of it.
That said, since you, Kuza, Rios and I have all found similar flaws with this, I couldn't help but point to a rap song that Rios and I wrote back in 1994 that claims our legtimacy to the pwnership of this research... here it goes:
"Listen close as life turns its pages McNasty here kickin rhymes for the ages
See things is changin
Wise words spoken by sages
From Skytel to Blackberry pagers
Your crew dont phase us
We'll make you busters pay us
Run up in yo spot like CJ from San Andreas
Rios and I wrote this sploit a long time ago
A real long time ago, can ya FEEL ME?
We wrote this sploit a long time ago
It was the dopest sploit that we wrote, back in 94"
Ok, I'm just kidding, we didn't write the sploit back in '94. And I didn't write that rap either. It came from Chappelle show... go watch that shit if you haven't seen it, it's hilarious.
Good stuff JG, peace!
@kuza55, I think this keeps happening to you. I might have to run my exploit blog posts by you from now off for a sanity check. :)
@Nate/Billy, thanks guys. So much research around the same areas. Just fitting the pieces together in interesting ways.
ohh... your great man. !!!
Very useful blog.
Thanks for sharing Jeremiah.
i create a link in my blog,
Msherm
http://illshare.wordpress.com
how did u src the swf object. I copied the download url location of a swf att, used param object embed stuff, but swf ile didn't execute the js code that was inside the flash file
I would like to know what/if Apple's Mobile Me mail has CSRF protection.
I pay about $100 bucks a year for my email account because I figured it was very secure and I could never lose my account as I use it for my business.
So, does this mean Google gmail is more Secure than Apple's Mobile Me mail?
Thanks in advance for any answer to this question.
Post a Comment