Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: So gmail was hacked

  1. #11
    Senior Member SnugglesTheBear's Avatar
    Join Date
    Jun 2010
    Posts
    133
    Well there is the problem! Letting IE save your passwords is a major problem because all a XSS attack needs to know is where IE stores them. There is also a plethora of tools that crack IE in this same fashion. Tell your friends that storing their passwords is more dangerous than worrying about key loggers. =P

  2. #12
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Yeap...Snuggles is right.

    Alot of those malware target the pstore file specifically


    MLF
    Last edited by morganlefay; July 9th, 2010 at 11:56 AM. Reason: spell as usual
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #13
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Hi Guys,

    Thanks for that. They werent saving it in Native I.E , it was a toolbar plugin that saves it, would this have the same effect as you suggest above? Wouldnt AV stop this attack?
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  4. #14
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Toolbar that stores passwords???

    Thats just wrong on so many levels...i have no words


    And no ...av doesnt stop alot of these things

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #15
    Senior Member SnugglesTheBear's Avatar
    Join Date
    Jun 2010
    Posts
    133
    You see, the beauty of XSS is that it is your browser that runs the code. There are some protections you can do, like turning scripts off or blocking most of them, but AV won't stop really stop a malicious site. noScript even has problems blocking malicious scripts from time to time. Also, I agree with Morgan, a plug-in that saves passwords sounds shady at best. I suggest changing passwords and not using IE or that plug-in/toolbar
    Last edited by SnugglesTheBear; July 9th, 2010 at 03:16 PM.

  6. #16
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Cool, thanks for all the replies.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  7. #17
    HYBR|D
    Guest
    Quote Originally Posted by SnugglesTheBear View Post
    I suggest changing passwords and not using IE or that plug-in/toolbar
    People wouldn't have these issues if they didn't run as Administrator, ran there updates regularly and not continually download nakedbritneyspears.JPG.exe all the time..

    the not using IE thing is aload of bull... Heck i am still using ie7 not because i have to, or i carn't update etc i use it because i like it, and it suits my needs and does what i want.


  8. #18
    Senior Member SnugglesTheBear's Avatar
    Join Date
    Jun 2010
    Posts
    133
    well not only does IE not conform to w3c standards like the rest of the world, it is bloated and inefficient IMO. What you say is true though hybrid, if you don't run as administrator you can minimize the amount of damage a XSS attack could do. However, they can still have their sessions/private information stolen via a XSS attack. But that is a problem with many popular browsers. The big problem with IE and especially older versions of IE, like IE7, in terms of security is its use of activeX. Yes you can disable it, but there exists code that can unset the killbit for activeX and so disabling it doesn't really work. ActiveX alone can give a rogue script complete access to your machine and results in a drive-by download. This is a huge security flaw thanks to the designers at M$. Eventually M$ just did away with all the activeX nonsense, but you would appear to still have it =P But if you want a recent example, in January 2010, there was a big exploit targeting older versions of I.E. with a 0day. Here is a link detailing it =P
    http://praetorianprefect.com/archive...oit-in-action/

    The funny thing is that M$ knew about the hole for months, just never got around to fixing it =P Just another reason why closed source is less secure

  9. #19
    HYBR|D
    Guest
    ahhh "Aurora" that seductive vixen, good times good times. Nice example snuggles, i remember discussing that wonderful 0-day.

    anyhow good points regarding IE, but as you did indeed mention all browsers are vulnerable. you mentioned killbits etc i dislike those sorts of "Vulns" the same as the next guy the reason why i don't move to "More Secure" browser is because ie7 just works the way i want a browser to work.

    There are nifty little "app" like things that can be configured to stop those drive-by killbits bugs from happening, also you mentioned cookie stealing for psswrds etc? i would imagine from the OP that maybe the users were using a spyware toolbar to begin with

    So off-course they would eventually have there login credentials lifted in plain text if they used the toolbar to save form information..

    also have you much no about "Proxomitron" ? great little web filter, let's you filter out pretty much anything you like. Works lovely

    sorry for talking riddles, busy busy busy. Weill re-edit and clean up this post and make it more engrish latter

  10. #20
    Senior Member SnugglesTheBear's Avatar
    Join Date
    Jun 2010
    Posts
    133
    I use more current web filters than proxomitron =P, but when I am feeling especially paranoid, I use Tor for close to true anonymity though it is incredibly slow .

    On the terms of the XSS, I wasn't referring to password stealing so much, though that can be accomplished if they let their browser save their password, as I was referring to session stealing. So say I am logged into gmail and checking my mail but then I go to another page without logging out of gmail, so my browser still has all my authenticated cookies. The server hosting the other page can then easily jump into my mail using my browser's credentials by telling my browser to do just that. I suggest reading this nifty little handbook http://code.google.com/p/browsersec/wiki/Main
    It is a gnarly read as the surfers would say especially if you are into web development =P
    But anywho boo, the reason why I didn't suspect a session stealing attack from the OP was because most attacks of that type are done by sending the victim an email that has a link to a malicious site so the attacker is pretty sure that the victim is logged in from the beginning. So, I guess I was assuming that the users were able to tell legitimate vs illegitimate email. Both ways could have happened, but the xss attack will only be effective for as long as the attacker stays logged in.

    IE has plenty of code to try and stop many other the attacks that unset the killbit, but eventually m$ that it was just a bad idea to begin with since it wasn't too much of a leap to subvert most of those protections >.< Blech, the reason browsers are so insecure is because of band-aid patching like that, as well as very loose protocols/standards as the handbook I linked goes over very thoroughly (seriously check it out if you are interested in browser security).

    I didn't say ALL browsers were insecure. I simply stated most popular browsers are insecure, some more than others, but that boils down to their implementation of scripting. The power behind web languages like javascript (which has a kind of funny history where netscape threw it together very haphazardly and quickly) as well as many mistakes that were made in the design of the web, such as loose standards of HTML and URL rendering etc. etc., lead browsers to be very insecure. There are secure browsers out there, you won't get nearly the functionality out of them, such as dillo and lynx. Lynx is to my knowledge the most secure browser, it is just text rendering everything else is discarded NOW THAT'S SECURITY!, though dillo is secure enough, though it can be attacked via overflows in their image rendering libraries etc. Heh, It is kind of funny to see the seemingly one to one relationship that functionality vs security have, the more of one you have, the less of the other you have.

    I think I have ranted long enough, back to work

Similar Threads

  1. Gmail Account Hacking Tool
    By MrLinus in forum Miscellaneous Security Discussions
    Replies: 13
    Last Post: August 26th, 2008, 02:16 AM
  2. Use Gmail are a virtual hard drive.
    By SDK in forum General Computer Discussions
    Replies: 0
    Last Post: October 11th, 2004, 05:26 PM
  3. Are Hotmail And Yahoo! Blocking Gmail Invites?
    By yourdeadin in forum AntiOnline's General Chit Chat
    Replies: 12
    Last Post: September 16th, 2004, 10:55 AM
  4. Gmail not secure
    By phunction in forum Web Security
    Replies: 29
    Last Post: September 8th, 2004, 10:47 AM
  5. Gmail flaw -- April 27, 2004
    By MrLinus in forum Web Security
    Replies: 3
    Last Post: April 27th, 2004, 07:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •