lord_casek Posted November 20, 2010 Share Posted November 20, 2010 Facebook would probably just consider this a feature, but the rest of us will definitely consider this a big security hole. The creator of http://guntada.blogspot.com (don’t visit that site just yet) emailed us this morning to explain. If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately. And it even works in “incognito” mode (also known as porn mode). What is the exploit? We don’t know, and Google has yet to respond to us about it. We note that the site doing the exploiting is on Google’s own blogging platform. One developer we spoke with was confused as well, saying: i have no idea what this is exploiting but there’s a decent chance it has something to do with Friend Connect and the way it passes data between iFrames (ie yes, it very well could be opensocial related). whatever is going on it’s an extremely serious security and privacy violation and i am confident google will address this in moments counted in minutes. i can’t recall ever having seen anything like this on a major IdP’s website. it’s scary stuff. If you insist on trying this yourself (hey, I did), the email to you will likely be in your spam filter. This isn’t a particularly dangerous exploit, but it sure is something a lot of people would love to have on their own sites. The ability to harvest emails from anyone already signed into Google, not to mention just see exactly who’s visiting the site, is extremely valuable. See the second comment thread here for a related issue with App Engine a month ago. http://techcrunch.com/2010/11/20/whoa-google-thats-a-pretty-big-security-hole/ Quote Link to comment Share on other sites More sharing options...
injury Posted November 20, 2010 Share Posted November 20, 2010 yikes. Quote Link to comment Share on other sites More sharing options...
Crocodile Tears Posted November 20, 2010 Share Posted November 20, 2010 Quote Link to comment Share on other sites More sharing options...
~KRYLON2~ Posted November 20, 2010 Share Posted November 20, 2010 i wanna learn how to do this kinda stuff Quote Link to comment Share on other sites More sharing options...
lord_casek Posted November 20, 2010 Author Share Posted November 20, 2010 i wanna learn how to do this kinda stuff Read a lot. Join "smash the stack", "hack this site", or one of the other hacking sites, read more netsec books, join forums related to netsec, get certified, make money. 2 Quote Link to comment Share on other sites More sharing options...
~KRYLON2~ Posted November 20, 2010 Share Posted November 20, 2010 check Quote Link to comment Share on other sites More sharing options...
Cro. Posted November 20, 2010 Share Posted November 20, 2010 i never got the email. Quote Link to comment Share on other sites More sharing options...
KILZ FILLZ Posted November 20, 2010 Share Posted November 20, 2010 "That's what she said" 1 Quote Link to comment Share on other sites More sharing options...
TACO_KING Posted November 20, 2010 Share Posted November 20, 2010 Quote Link to comment Share on other sites More sharing options...
lord_casek Posted November 20, 2010 Author Share Posted November 20, 2010 i never got the email. Site is down. Quote Link to comment Share on other sites More sharing options...
RIPS Posted November 20, 2010 Share Posted November 20, 2010 http://www.youtube.com/watch?v=RSpXEPl3zeU Quote Link to comment Share on other sites More sharing options...
andrewreynoldsx Posted November 21, 2010 Share Posted November 21, 2010 and i raise you, http://www.youtube.com/watch?v=kcYg4fZEDzg Quote Link to comment Share on other sites More sharing options...
CALIgula Posted November 21, 2010 Share Posted November 21, 2010 just make sure you sign out of your gmail or facebook when youre done. anyone remember when weaponxxx made that thread with the facebook link? Quote Link to comment Share on other sites More sharing options...
POINTFIVE Posted November 21, 2010 Share Posted November 21, 2010 <>< lol also xss Quote Link to comment Share on other sites More sharing options...
CALIgula Posted November 21, 2010 Share Posted November 21, 2010 gone phishing <>< damn...you took it back to the aol days right there. i had like 5 phished accounts...a bunch of proggies for pinting and punting fools. i really wanted one of those OH accounts though. Quote Link to comment Share on other sites More sharing options...
KILZ FILLZ Posted November 21, 2010 Share Posted November 21, 2010 Aol private room PROGZ, yellow,pepsi,tits,vb3 1 Quote Link to comment Share on other sites More sharing options...
CALIgula Posted November 21, 2010 Share Posted November 21, 2010 back in 98 i was in the aol private rooms mp3, mp32, mp33, etc.. then youd request the list from the server.....i had a nice prog that would convert the list to where you could just double click the files you wanted to get sent to you. except each song would take about 35 minutes to download...lol. i still have the aol 3.0 disks. Quote Link to comment Share on other sites More sharing options...
Spitfire15 Posted November 21, 2010 Share Posted November 21, 2010 anyone remember when weaponxxx made that thread with the facebook link? This needs to be done again. This whole crop of new guys would shit their pants. Quote Link to comment Share on other sites More sharing options...
50million Posted November 21, 2010 Share Posted November 21, 2010 yeah i joined some bay area group on facebook and i got a ton of emails from them. Quote Link to comment Share on other sites More sharing options...
blacken Posted November 21, 2010 Share Posted November 21, 2010 This needs to be done again. This whole crop of new guys would shit their pants. I faintly remember this but I was not down with anything facebook at the time. Quote Link to comment Share on other sites More sharing options...
BlackbookKWC Posted November 21, 2010 Share Posted November 21, 2010 this shit is crazy. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.