tag:blogger.com,1999:blog-13756280.post2244929312738652339..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Gmail, XSRF, JSON, Call-Back HackeryJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-13756280.post-70255380335549722212016-12-10T01:47:33.209-08:002016-12-10T01:47:33.209-08:00Thanks! All examples are simple and very beautiful...Thanks! All examples are simple and very beautifully explained, even someone who does not know much about Web services can get the hang of them.<br /><a href="http://webdesignrz.wixsite.com/webdevelopment" rel="nofollow">web designing company Pakistan</a>Tooba Waqarhttps://www.blogger.com/profile/12405776127681264701noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-26133499987309460922016-11-15T13:21:05.473-08:002016-11-15T13:21:05.473-08:00do you want to study in abroad today or in the nex...<br />do you want to study in abroad today or in the next intake. we are the best and top rated study abroad consultancies in india with good visa assurance.we help you in filing the f1 visa for you in very less time. <a title="usa study abroad consultancies in hyderabad" href="http://rakabroad.in/usa-study-abroad-education-consultants/" rel="nofollow">education consultants in hyderabad</a> we are also help you with information needed to apply for the college university. <br />taiseerhttps://www.blogger.com/profile/06640706068951962972noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-24954737097921615302016-11-15T13:19:14.744-08:002016-11-15T13:19:14.744-08:00do you want to study in abroad today or in the nex...<br />do you want to study in abroad today or in the next intake. we are the best and top rated study abroad consultancies in india with good visa assurance.we help you in filing the f1 visa for you in very <a title="usa study abroad consultancies in hyderabad" href="http://rakabroad.in/usa-study-abroad-education-consultants/" rel="nofollow">usa foreign education consultants in hyderabad</a> less time. we are also help you with information needed to apply for the college university. <br />taiseerhttps://www.blogger.com/profile/06640706068951962972noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-21769630503113984592010-12-04T08:52:15.461-08:002010-12-04T08:52:15.461-08:00@Anonymous: gone I guess, try the archive. http://...@Anonymous: gone I guess, try the archive. http://web.archive.org/web/20071010053647/http://www.cyber-knowledge.net/blog/2007/01/01/gmail-vulnerable-to-contact-list-hijacking/Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-22883478255303121542010-12-04T05:13:36.178-08:002010-12-04T05:13:36.178-08:00What happened to the "Gmail Contact List CSRF...What happened to the "Gmail Contact List CSRF Vulnerability" link from your article? Its dead. Anyone know where the article went?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-87140111709238528332007-01-03T14:53:00.000-08:002007-01-03T14:53:00.000-08:00> if you're allowing 3rd parties to display privat...> if you're allowing 3rd parties to display private info, i don't think you can prevent them from recording it.<br /><br />Yep, thats essentially it. And I think also a limited JSON adoption in mash-up creation.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-91643041503998247142007-01-03T14:50:00.000-08:002007-01-03T14:50:00.000-08:00So by doing so, that data is GOING to be revealed ...So by doing so, that data is GOING to be revealed to the third-party no matter what. <br /><br />> Well i think that's always been the case with third-party extensions in any web technology - unless they restrict it all to iframes or dynamic images.(which at the very least, they better do the login part solely by a google iframe - i really can't trust 3rd parties with my password)<br /><br />So aside from those two methods, both if which lack customization, if you're allowing 3rd parties to display private info, i don't think you can prevent them from recording it.<br /><br />The whole 'import contact lists to search for buddies' idea is a terrible one security-wise IMO, and can't be secured. :TAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-52211290571983014712007-01-03T13:32:00.000-08:002007-01-03T13:32:00.000-08:00> tokens in the link are still probably the best p...> tokens in the link are still probably the best practice.<br /><br />Yah, probably. Just hard to implement after the fact, especially for static content. And painful since the vuln is really on the client.<br /><br />> IIRC, their while(1) solution for the array one was effective but still seemed unprofessional looking. <br /><br />I agree. Seemed effective though.<br /><br />> I'm not sure if anyones explored too deeply into JSON's insecurities.. but it's seeming quite dangerous. <br /><br />Only really a handful a people probably have looked deeply into the subject. There is a lot more in there, I assure you. :)<br /><br />> And i'm not sure what you mean by auth web services, can you elaborate? o.O<br /><br />Let's say Google wanted third-party developers to be able to utilize a user's Gmail contact list to create mash-ups in this way. To do that, a user would have to be "authed" when making the CSRF request. That's what I meant. So by doing so, that data is GOING to be revealed to the third-party no matter what. <br /><br />Point being, unless you prepared to share that data with third-party you can't do this type of authenticated data mash-up.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-61590459410829351772007-01-03T13:25:00.000-08:002007-01-03T13:25:00.000-08:00you're right about management, for a big website l...you're right about management, for a big website like google who has a bunch of subdomains and adds more with every new beta project .. tokens in the link are still probably the best practice.<br /><br />IIRC, their while(1) solution for the array one was effective but still seemed unprofessional looking. I'm not sure if anyones explored too deeply into JSON's insecurities.. but it's seeming quite dangerous. Which is sad, cuz i love it's elegance over ugly looking XHR calls :/<br /><br />And i'm not sure what you mean by auth web services, can you elaborate? o.OAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-90821992876335657002007-01-03T12:49:00.000-08:002007-01-03T12:49:00.000-08:00I'll have to think more deeply on that solution, s...I'll have to think more deeply on that solution, sounds workable, though management might be an issue.<br /><br />Another questions is what about those "authenticated" web services that want to deliver call-back wrapped JSON feeds. You know for mash-ups customized for a specific user.<br /><br />I don't think you can in a safe/secure way.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-5654345552065191182007-01-03T12:30:00.000-08:002007-01-03T12:30:00.000-08:00well this is far more obvious than an undeclared A...well this is far more obvious than an undeclared Array.. before you blogged about that, i never would've considered overwriting the array constructor.<br /><br />But putting a callback function, it should be obvious that a remote website could access that info .. so it's something google needs to workaround.<br /><br />As for those workarounds, the simplest that comes to mind is to just whitelist domains that needs it. Google will need to check multiple subdomains but in it's simplest form:<br /><br />if (document.domain == "www.google.com") { callBack(blah) };Anonymousnoreply@blogger.com