In celebration of our acceptance to Black Hat Japan, we've decided to post the details on our Picasa exploit which allows an attacker to steal images from victims. Perhaps this should be the month of Google flaws considering our posts in this previous week and some of the posts that are on their way in the next week or two.
If you've read our previous post Say Cheese! then you know that Google's Picasa registers the picasa:// URI in the Windows registry and it is possible to abuse this registered URI through a Cross-Site Scripting exposure to steal a victim's images. My personal feeling on this issue is that it represents a HUGE privacy breach for users of Picasa. Ok, so without further dramatic build-up, you can find the gory details here and you can find the source code we use for the exploit here.
very interesting concept!!! nice
ReplyDelete[...] Rios and Nate McFeters revealed the gory details of their already announced Picasa exploit, leveraging a clever combo of XSS, Cross Application Request Forgery, Flash same domain policy [...]
ReplyDelete[...] Picasa exploit with detail, leveraging a clever combo of XSS, Cross Application Request Forgery, Flash same domain [...]
ReplyDeleteIt is way more work than I could say I would ever think of doing, but the proof of concept was very nice work. I love how you always tie everything together like that.
ReplyDeleteand then you install linux and stop bothering about stuff like this. good application btw :)
ReplyDeleteActually sjovan, there's a high likelihood this is vulnerable in Nix too, or at the very least attacks like it. I've mentioned numerous times now that *Nix has registered URI's as well.
ReplyDeleteThis is one of my favorite attacks that we've pulled off. Lot's of dynamic pieces.
yeah, i'm pretty happy with how it turned out too. the PoC is finally functioning correctly. the thing that was the toughest to get working reliably was the dns rebinding/anti-dns pinning. from everything i've read, flash does dns binding and *should* respect the ttl it receives but doesn't seem to. by comparison the rest was pretty easy.
ReplyDelete[...] scripting bug affligge invece il servizio aziendale Google Search Appliance mentre Google Picasa risulta essere vulnerabile ad un exploit in grado di permettere ad un cracker di prelevare delle immagini [...]
ReplyDelete[...] A Picasa exploit discovered by researchers Billy Rios and Nate McFeters that leverages a combination of XSS, cross [...]
ReplyDelete[...] example, it would be impossible for Microsoft to fix a recent Picasa flaw discovered by McFeters and Researcher Billy Rios. "The Picasa flaw is based on the [...]
ReplyDelete[...] example, it would be impossible for Microsoft to fix a recent Picasa flaw discovered by McFeters and Researcher Billy Rios. "The Picasa flaw is based on the [...]
ReplyDeleteHey Nate.. we met at San Diego airport and talked for a bit. We were both headed to Phoenix. Anyways, I couldn't find an email address and I didn't want to go "searching" for one, so I thought I'd post a comment here and hope you would respond to the email address I left. You can delete this comment
ReplyDelete[...] Unfortunately, URIs are also accessible to attackers through cross-site scripting (XSS), so an attacker can XSS a Picasa user, load Flash which doesn’t do DNS pinning (this JUST missed our list), and then steal the user’s images without any interaction or confirmation. [...]
ReplyDelete