Ethiopia gets a new school - thanks to a XSS in Google+

Update 04/29/12: This blog post leads to a persistent XSS bug within InformationWeek.com (screenshot), because Charlie Miller has tweeted about it. (The third paragraph contains a XSS vector) :-)

Update 05/02/12: InformationWeek has fixed the issue.

I contribute to the Google Vulnerability Reward Program now since November 2010 and I found a lot of security bugs in nearly all major Google applications. This month I found two different persistent XSS vulnerabilities in Google+. One of these I want to disclose here because that bug hopefully makes the life of some childrens a bit better.

My testing Google+ profile is named "><img src=x onerror=prompt(1);> and if this users has more than 6 public photo albums the name wasn't escaped on the profile page. The screenshot shows the bug in action.

The Google Security Team responded very fast and delivered a valid fix to production after some hours. For this vulnerability I got a reward of $1,000 USD. From three other minor bugs I got $300 USD. Some notes and background information about the threats of HTML injections can be found here.

I decided to donate all the money to a school project in Welkite (Ethiopia). 

From the Project Manager of Bessere Zukunft e.V. about that school:

"At this school there is a lack of fundamental supply with water, toilets and electricity. Because there are barely any educational books, school materials and furniture (see photos), sufficient school education isn’t possible.
Welkite is 180 km away from capital city Addis Ababa. At this elementary school approximately 750 children go to grade one to eight. The classrooms have not enough room and benches to sit for the 80 children per grade. Often four to five children have to share a seating bench. Most of the children have to walk 45 minutes to one hour to get to school. At this school there is no access to water, electricity and enough adequate toilets."

If you decide to donate the money from Google to charity Google doubles the rewards! So I'm able to donate

$2,600 USD

to this project. Google has made the donation for me via Betterplace.

There is another school project from Bessere Zukunft e.V. in East Africa. Do you want to donate too? Do it here.

Thanks so much to the Google Security Team who made this possible!

One year Google web vulnerability research

Adam Mein from Google Security Team shared today some stats from the VRP of the last 12 months. The facts about one year VRP: $ 429.000 paid to around 200 researcher for 750 qualifying bugs. Roughly half of the bugs that received a reward were discovered in software written by approximately 50 companies that Google acquired.

Google Gifts

Adam told in 2011 that 20% of people are responsible for around 80% of all bugs.

Here some reports from researchers who participate in VRP:

• XSS iGoogle, XSS Google Translate
• XSS Recaptcha
• Reflected DOM based XSS Google Code
• XSS Google Analytics
• XSS Google Adwords (1)
• XSS Google Adwords (2)
• XSS Google Webmaster Support Forum
• XSS Jaiku
• XSS Aardvark
• XSS Blogger.com
• XSS Google Code
• CSRF Google Feedburner
• XSS Android Market
• XSS Google Website Optimizer
• XSS accounts.youtube.com
• XSS Invitemedia
• XSS Google Calendar (german)
• Masato Kinugawa ($30.000 Tweet)
• Gain Blogger.com Administrator Priviledge

My personal stats about one year VRP can be found here.

ICON HD Tank Module Pairing

After many hours reading different versions of manuals I found out, that's not possible to perform a pairing operation between Icon HD Tank Module and the computer without pressure on a tank.

The hint that's the manual is wrong is inside the Erate Corrige:

In Section 1.8 it is mentioned that the tank module does not need to be mounted on a regulator first stage. This is incorrect. To perform the pairing operation, the tank module must be pressurized to at least 15bar/220psi. Hence it must be mounted on a first stage regulator, which is itself mounted on a full scuba tank and the valve opened.

Hopefully the battery of the Tank Module is full and I'm able to pair both devices tomorrow at Helengeli Island.

Key Features of ICON HD:

• Max depth 150m
• Digital compass
• Decompression model: RGBM Mares - Wienke (10 tissues)
• Extended display
• Wide screen for superior readability
• Digital descent/ascent speed indicator
• Air integrated (Tank pressure, breathing rate)
• Nitrox with option to use up to 3 different mixes
• Bottom Time/Gauge with stopwatch
• Seabed map available during dive
• USB interface to PC
• Temperature measurement
• Logbook for 100 dives

It's my first dive computer and I think it's currently one of the best dive computers for divers who wants to enjoy a secure dive.

Nyan Cat Song Orchestra Version

Do you know the Nyan Cat song orchestra version made by Denny Wellp? Click the play button or visit Grooveshark to listen this amazing song.

 

 

Sometimes I use the html image tag with a Nyancat to visualize XSS bugs. In july 2011 I found a XSS on the website of the Cabinet of Germany. The german news magazin Spiegel Online had a news story named "Hack decorated bundesregierung.de with cat content". Next time I have to include that song too.

Apple.com XSS Gallery

Three months ago I have found in one night a lot of reflective XSS Bugs on different Apple.com properties. In past I reported a lot of Security Bugs to Google (you find here some stats about the last year) and if I try to compare both Security Teams together I feel with Google much more comfortable to communicate. Apple is slow in the first response, didn't told me that a bug is fixed and I had to report some bugs twice to get a confirmation that they started working on. 

Compared to other companies Apple has a lot of deprecated (?) legacy applications running. It looks like a mingle-mangle of different programming languages, application servers, domains or hostnames and independently running services - with a lot of bugs.

Did you know, that Apple has a credit page who have reported potential security issues? They call it "Apple Webserver Notifications". 

Update: Here a explanation from OWASP what XSS is.

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

So, here we go with the XSS Gallery:

 

 discussions.apple.com

 www.apple.com

 developer.apple.com

 lists.apple.com

 support.apple.com

 expresslane.apple.com

backend.media.euro.apple.com

canadaapp.apple.com

 canadaedu.apple.com

 qtdevseed.apple.com

XSS on Google.com

Ooops. Found yesterday a persistent XSS on http://www.google.com. Google Security filled a bug after 32 minutes. I will provide more informations about the bug after a fix is released.

Very short response times is the normal case for Google Security.

In June I found a DOM XSS inside the Google Search field after introducing the Voice Search for Chrome. 

Timeline:

Initial Report: 24. June 2011, 14:43 UTC
Autoresponse from Security Bot: 24. June 2011, 14:43 UTC

First response from Security Team: 24. June 2011, 15:44 UTC

"Thanks! We've reproduced this issue reliably too, and we're working to get this resolved as soon as possible. I’ve filed a bug and will update you once we’ve got more information."

Final fix: 10 hours after initial report

"This is fixed. It's possible there may be some delays before it's pushed to the various data centers around the world, but it no longer alerts for me."

After 9 months Google added me to the "Sustained Support" section of his corporate security site. Thank you guys!

And here is my report after one year vulnerability reward program:

Google Drive Rumors

Today we can find several signs that Google Drive is arriving in the next weeks. 
I found yesterday some hints about Google Drive on docs.google.com 
in a Javascript-File:


cg="My Google Drive"
lma="Remove from My Google Drive"
qma="Restore to My Google Drive"
lba=" items haved been removed from your Google Drive."
Uba='" has been added to your Google Drive.'
gha="Add to My Google Drive",


Last week some on Hacker News pointed to a Issue from the Chromium Project:

Unified Diff: net/base/transport_security_state_unittest.cc

  
  EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "docs.google.com", true));
  EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "sites.google.com", true));
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "drive.google.com", true));
  EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "spreadsheets.google.com", true));

Google Storage for Developers is already in "Labs"-state and looks like a "Drive" for Developers and has quiet interesting feratures.

Fast, scalable, highly available object store

• All data replicated to multiple data centers
• Read-your-writes data consistency
• Objects can be terabytes in size, with resumable uploads and downloads, and range-GET support
• Domain-scoped bucket namespace

Easy, flexible, authentication and sharing

• OAuth 2.0 Authentication
• Authenticated downloads from a web browser
• Individual-, project-, and group-level access controls

But I think Google Drive will be integrated into the existing Google Docs and we will see some desktop applications to synchronize local disks with Google.