Gmail: Lean, Mean Spamming Machine!

by Shijaz Abdulla on 12.05.2008 at 11:35

A "serious security flaw" in Gmail turns Google’s e-mail service into a spamming machine, according to a recent security report.

INSERT, the Information Security Research Team, has created a proof of concept that exploits the "trust hierarchy" that exists between mail service providers. By exploiting a flaw in the way Google forwards email messages, a spammer can send thousands of bulk e-mails through Google’s SMTP service, bypassing Google’s 500-address bulk e-mail limit and identity fraud protections.

Since email providers like Gmail are "auto-whitelisted" by ISPs and blocklist providers, the spam messages sent from Gmail are not looked upon with suspicion by many anti-spam technologies, which further magnifies the risk.

The INSERT report suggests that it does not require a rocket scientist to exploit this flaw:

In this regard, this document presents a vulnerability report and a proof of concept attack that demonstrate how anyone with no special internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers is able to exploit a single Gmail Account in order to be granted nearly unrestricted access to Google’s massive white-listed SMTP relay infrastructure

At the time of this writing, Google has not offered any official comment.

Security Vulnerability in Youtube?!

by Shijaz Abdulla on 18.04.2008 at 23:30

Hello world. The time is 12:31 AM in Abu Dhabi, United Arab Emirates, and I have logged in to YouTube to upload a short video. And guess what? I am automatically logged in as another Youtube user that I dont know anything about!!

I kept navigating on various pages in YouTube, and I found that I kept getting logged on as various other users! New vulnerability in Youtube/Google? I guess this will be published in a dozen other blogs by tomorrow and then maybe we can wait and see what Youtube/Google says.
Here are some screenshots. I’m cropping some of the images for ethical reasons 🙂

I clicked on My Favorites, and I get Zoobi4658‘s favorites!

Hmm, I clicked on Home, and I arrive at Just2koool‘s home.

I click on My Videos, here comes da54sk8er

Clicked a random link, and lo, here is koxlcxlk


No, I am not a hacker – neither white, nor grey, nor black hat. It just happened. I logged in with my username and password and the next thing I know I get redirected with a new identity. I keep clicking on other links, I get further new identities. I tried to logout and back in – the same story ensues.

This isn’t the first time with Google. The exact same problem was reported by GMail users in Kuwait a few months ago. Users were able to see other users’ inboxes and email. This was caused by a caching issue at a Kuwait ISP and in all probability, what I see with Youtube *might be* the same issue. Well, in my opinion, Google should write code that doesn’t allow the ISP web proxy cache to save somebody’s session and give it to someone else!

Updates:

19 Apr, 10:30 PM This problem seems to affect only users inside the United Arab Emirates. Most likely that the problem is caused by Etisalat, our ISP.
19 Apr, 9:30 PM My blog gets blocked in the UAE
20 Apr, 8:00 AM And we’re back online
23 Apr, 5:00 PM ITP reports the issue
27 Apr, 6.45 PM YouTube security issue in UAE fixed

USEFUL INFORMATION
Getting domain registration on cheap web hosting is no big deal. Getting it on a cheap but quality web hosting is something. At present we have 2 such names, dotster that is comparatively older, and aplus hosting.

GMail user data exposed in Kuwait

by Shijaz Abdulla on 01.03.2008 at 16:03

Talk about security – and Google.

GMail users in Kuwait and some other countries reporting being able to read other GMail users’ email without having to log in.

Full Story:
http://www.news.com/8301-10784_3-9875714-7.html

Google claims that an ‘ISP caching problem’ that allowed users to log in to other users’ mailboxes. This talks volumes about Google’s security, doesn’t it? Does this mean that an ISP can break Gmail security if it really wants? Wait a minute – how can ‘caching’ at the ISP preserve Gmail sessions? Some neat security, huh?

No wonder Gmail is still in Beta.

Opening blocked attachments in Outlook

by Shijaz Abdulla on 09.01.2008 at 10:23

Some file extensions are blocked by Microsoft Outlook for the potential damage that they may cause. File types blocked include EXE, COM, MDB and many others.

Outlook displays a message that it has blocked the attachment:


Sometimes it becomes necessary to “unblock” a particular file extension. One of the most common requests is to unblock Access database files (*.mdb). Let’s see how this can be done:

  1. On the desktop running Outlook, open Registry Editor.
  2. Navigate to HKEY_CURRENT_USERSoftwareMicrosoftOfficexx.x OutlookSecurity where xx.x is your Outlook version number (9.0, 10.0, or 11.0)
  3. Add a new string named Level1Remove
  4. Add value to this string with all the extensions that you want to unblock, separated by a semicolon. (For example: .mdb;.url ) Remember to put the dot before the extension.

It should, however, be kept in mind that unblocking a particular file type introduces new risk, as the user can also receive a malicious file of the same type from another user or the internet and he/she might inadvertently open it.

For Outlook 2007, you need to insert the string in the following key HKEY_CURRENT_USERSoftwarePoliciesMicrosoftOffice12.0OutlookSecurity. If the key path doesn’t exist, you can create it.

Dying hard

by Shijaz Abdulla on 05.09.2007 at 10:43

I normally don’t blog about anything thats not technical enough. But this was asking for it.

Some of my readers who saw ‘Live Free or Die Hard 4’ said that they were fascinated by the technical possibility of the feats demonstrated by hackers in the movie. I’m not really the movies guy — but yielding to the awe of the readers, I was tempted to watch it.

Many have asked me “Can they really do it some day to a country?”; “Is IT warfare real?”, etc.

I’m not a movie critic and this is definitely not a movie review. This is a serious (ahem!) technology blog. So what’s ‘Die Hard 4’ doing here? Damn, I started this post, so let me begin and let me end. I promise to keep it technical.

1. How can simply copying financial information (or ‘downloading’ it – as in the movie) help the hackers steal money? Tell me how you can get rich just by copying a bank’s database to a portable hard drive?

2. The so-called “Financial Records” are 500 TB (Terabytes) as per the message on the screen and Hacker 101 says he’s going to copy the data to a portable hard drive. I’ve never seen a 500TB portable drive. Have you?

3. Every time they want to hack a system (traffic lights, tunnels, F11 controllers, CCTV cameras), our Harry Potter hacker boy just punches some buttons on his keyboard and says “we’re in”. Is it really that simple?
The encryption technologies of today require hundreds of computers working together for months and years to crack just one key, that may give access to just one system. And of course, within this long period, the key itself may change. The government of any country would not be dumb enough to protect all their systems with just one key, and passwords/keys will change frequently.

4. In the story, if system breaks, it ‘downloads’ all the data to a machine in a remote location. What kind of disaster recovery solution is that?! Data to a disaster recovery center is usually replicated in real time/periodically and does not ‘begin’ when an outage happens.

5. I believe there is always a way to manual over-ride things like traffic lights and power grids. Even when a hacker has control over traffic lights, I don’t think those systems allow anyone to set ‘green’ on every lane! I’m not a developer, but has anyone heard of user input validation?

6. How did they manage to blow up hacker good-boy’s computer when he pressed the delete button? If they were around, why didn’t they just plant a remote-controlled bomb in his apartment. Would have been more reliable 😉

7. When they played images of blowing up government buildings, why did hacker boy have to type the messages that were being posted on TV screens manually at the time of broadcast. Couldn’t he write a simple script or at least copy-paste it from Notepad?

8. Why couldn’t somebody at the television station just physically pull the plug off the transmitter? Isn’t it better to have no transmission than to broadcast as per the hacker’s whims and fancies?

9. I wonder why some of the IP addresses are from the private IANA range – 10.x.x.x, 192.168.x.x. Were they hacking the US govt, or the neighbor’s PC?

10. Those racks in the server room look strange. Why do the servers make wierd noises when our hackerboy presses a key?

Here’s the bottom line: I don’t think that an attack of such magnitude can be done with today’s available security technologies at least for a reasonable time into the future. And beyond that – as they say – ‘Security Transcends Technology’.