Crack: Google Authentication Services are Vulnerable

There is a vulnerability in the way Google authentication service works. Whenever you login to any of the Google’s online services like GMail, Orkut, Groups, Docs, Youtube, Calendar etc., you are redirected to an authentication server which authenticates against the entered username and password and redirect back to the required service (GMail, Youtube etc.) setting the session variables.

Now, if you are able to grab the url used to set the session variables, you can login as the user to whom that url belongs from any machine on the Internet (need not be the machine belonging to the same subnet) without entering the username and password of the user.

The proxy servers in the organizations can be used to exploit this vulnerability. Squid is the most popular proxy server used. In the default configuration, squid strips the query terms of a url before logging. So, this vulnerability can’t be exploited. But if you turn off the stripping mechanism by adding the line shown below, then squid will log the complete url.

strip_query_terms off

So, after turning stripping mechanism off, the log will contain urls which will look like this

http://www.google.co.in/accounts/SetSID?ssdc=1&sidt=Q5UrfB0BAAA%3D.oHVGErODzffQ%2Bms%2FOKfk53g5naReDKehRNHOBsmJlBu3VTNXjF03SbgX%2FVEEhmImhR4mlu5IAAjM%2BdbuXvMMSIb0oU8IGCYpnLcSNkbCIrG%2BQnm81YmX5%2Brcrq7U6Qx65%2F1yaQ2NzgmKD94jg0Iw13iXDen3qD5qn6L%2FhmmYWwTrcOeuTzGbO%2BAehpjEU3mrWapRafaq3b4kxyigJ68s8QrGQqZTINNE%2Bs%2BoIkZWmGt5kNzoT8fkVAsWJeu3CKFkxj4oVMngeDvpwb1nyFpsJCltOzmAr46fTxVJSpvQdx0%3D.BMLtjUdIDCcuszktZSvYzA%3D%3D&continue=http%3A%2F%2Fwww.orkut.com%2FRedirLogin.aspx%3Fmsg%3D0%26ts%3D1226148773097%3A1226148773386%3A1226148774868%26auth%3DDQAAAIcAAAC1pPE1QT4chKgrU4B3oyKZrQRkEVPtYlclpESQoXV_d9x9gdoe75Z0hfJ_22Pn5tVMR7j-uV5YCps3NB48L0bFlDeX-4PGHVT6Loztp_ru3tAy_gxDa9_YAEbz4d9CO4wD2VTKtzax9zvpGgrnJVZQfoWPkkIomUmxDtVGoH7g3fA3UjS0vdBJ2PJtgFMElso

Replace .co.in with your tld specific to your country. If you paste this url in any browser, it’ll directly log you in and you can do whatever you want to that account. Remember that all such urls remains valid only for two minutes. So, if you use that url after two minutes, it’ll lead nowhere.

At the time of writing this post Orkut, Google Docs, Google Calendar, Google Books and Youtube are vulnerable.

So, make sure your squid has stripping mechanism turned on and your squid server is properly firewalled.

You can watch the Video proof for Orkut on Blip.tv, Youtube.

 

Google is Fastest

While testing a piece of code for my squid plugin, I ended up changing permissions of /tmp/ directory to 0755. A few minutes later (after making changes to the code), I tried committing it to fedorapeople.org and got this error

1
2
3
4
5
6
[project@bordeaux youtube_cache]$ git push --all ssh://kulbirsaini@fedorapeople.org/~kulbirsaini/public_git/youtube_cache.git
Enter passphrase for key '/home2/Studies/project/.ssh/id_rsa':
ssh_control_listener bind(): Permission denied
fatal: The remote end hung up unexpectedly
error: failed to push to 'ssh://kulbirsaini@fedorapeople.org/~kulbirsaini/public_git/youtube_cache.git'
[project@bordeaux youtube_cache]$

Well, I couldn’t understand the error and jumped to #fedora-admin. I pasted the error on pastebin. Almost a minute laster, while trying to conquer the error, I Googled the exact error and I was damn surprised to see the paste as first result. What an indexing speed Google has??? See the screen shot for proof 🙂

Google is Fastest

In #fedora-admin ricky confirmed that nothing was wrong on server side and it should be a local problem with my machine or proxy server at my insti border. A few minutes later, I reliazed the /tmp/ permission thing and changing permissions back to 0777 fixed everything 🙂

 

Info: Spicebird 0.7 Pre with Awesome Features

Spicebird is

your one platform for many collaboration needs. It provides e-mail, calendaring and instant messaging with intuitive integration and unlimited extensibility.

Spicebird beta 0.7 pre release is out now and can be downloaded in 10 languages from the i10n nightly build archive. For the latest nightly build of English version, check this English nightly build archive.

Some of the new features in version 0.7 are

  • Google Applets in Home Tab
    • You can add Google applets in the Home tab. For example: On home tab, click Add Applet -> Google Applet. Add a url to Google applet (e.g. Google Map Search). And you’ll have a nice Google map on your home page 🙂
    • Or add date & time applet ( this url )
    • Or from the thousands of applets available from Google 🙂

Google Applets in Spicebird

  • Auto Update Feature
    • Spicebird now checks for updates automatically 🙂

Spicebird Auto Update

  • Its way faster than the previous version. Thats my personal opinion. I was using Spicebird beta 0.4 since more than 6 months.

Check the official release announcement for more details.

How to install Spicebird for test usage

Download

Get the latest version of Spicebird from nighty build archive.

Extract and Move

Extract the Spicebird archive file as

[root@localhost ~]# tar -xjf spicebird-beta-0.7pre.en-US.linux-i686.tar.bz2 [ENTER]

Move the extracted directory to /opt/

[root@localhost ~]# mv spicebird-beta /opt/ [ENTER]

Create shortcut on Panel

Right click on Gnome panel and click “Add to Panel

Add Spicebird to Panel

Click on “Custom Application Launcher”

Spicebird Custom Application Launcher

Fill in appropriate details as shown in the following image

Spicebird Create Application Launcher

Choose an icon for Spicebird by clicking the “No Icon” button on the top left corner.

Spicebird Launcher Icon

Click Ok. And you are done. Now click the new icon that has just appeared on the panel. Rest of the configuration like account creation and settings is exactly same as Thunderbird or Evolution or any other mail client.

Reference : Spicebird Official Website