Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2009-04-22 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

OAuth vulnerability

Published: 2009-04-22
Last Updated: 2009-04-23 16:43:11 UTC
by Jason Lam (Version: 1)
2 comment(s)

My friend Jason Kendall pointed to me that OAuth had acknowledged the report of a vulnerability. There are no details on the vulnerability announced yet. It is known that twitter, Yahoo, Google and Netflix and other OAuth providers are all working on the research and mitigation of this vulnerability. We should hear more shortly.

OAuth is an open protocol to allow API access authorization. It's use allow user to grant access on specific user's data to online providers. It is commonly used with OpenID where OpenID provides the authentication and then OAuth gives access to the user's properties and attributes without giving all other information to the provider. One site might want need to know the user's name and age but another should only know the user's name and food preference, Oauth allows such disclosure to happen.

Update: The actual vulnerability detail had been released. The vulnerability is similar to a session fixation vulnerability (it's not session related). The attacker can get a legitimate request token from one site, then entice a victim to click on a link with that token. The link brings the victim to a page for approving access for site to access personal information. The attacker can then finishes the authorization and get access to whatever information was approved to be accessed by the site.

 

Keywords: OAuth
2 comment(s)

Earthlink is down?

Published: 2009-04-22
Last Updated: 2009-04-22 19:35:07 UTC
by Joel Esler (Version: 1)
2 comment(s)

(On Earth Day, Ironic?)

We have been getting a few reports recently of Earthlink (the ISP) having DNS problems and otherwise being "down".  We haven't been given much information at this time, however, since we can't even reach Earthlink's website, and "Downforeveryoneorjustme.com" is even reporting it's down, it appears as if they are definately having some problems.

-- Joel Esler

http://www.joelesler.net

http://twitter.com/joelesler

Keywords:
2 comment(s)

Firefox gets an update.

Published: 2009-04-22
Last Updated: 2009-04-22 18:18:43 UTC
by Joel Esler (Version: 1)
0 comment(s)

We had several readers write in this morning to let us know of Firefox version 3.0.9 being released.

(Thanks roseman, CJ, Sebenste!)

For a complete linked list of Firefox vulns: http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.9

MFSA 2009-22 Firefox allows Refresh header to redirect to javascript: URIs
MFSA 2009-21 POST data sent to wrong site when saving web page with embedded frame
MFSA 2009-20 Malicious search plugins can inject code into arbitrary sites
MFSA 2009-19 Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString
MFSA 2009-18 XSS hazard using third-party stylesheets and XBL bindings
MFSA 2009-17 Same-origin violations when Adobe Flash loaded via view-source: scheme
MFSA 2009-16 jar: scheme ignores the content-disposition: header on the inner URI
MFSA 2009-15 URL spoofing with box drawing character
MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)

-- Joel Esler

http://www.joelesler.net

http://www.twitter.com/joelesler

Keywords:
0 comment(s)

SANS ISC is on Twitter too!

Published: 2009-04-22
Last Updated: 2009-04-22 17:04:13 UTC
by Joel Esler (Version: 1)
0 comment(s)

I've posted about this before, and many people started following us after that, however, since the Oprah/Twitter/Ashton Kutcher event  (I call this "BO" and "AO"  Before Oprah, and After Oprah), millions of people have joined Twitter and may not know that the ISC has a twitter name as well.

http://twitter.com/sans_isc

Feel free to follow us there as well if you are on Twitter.

-- Joel Esler

http://www.joelesler.net

http://twitter.com/joelesler

Keywords:
0 comment(s)

Bind 10 press release has been issued

Published: 2009-04-22
Last Updated: 2009-04-22 13:13:02 UTC
by Joel Esler (Version: 1)
0 comment(s)

According to a press release today by the ISC. (www.isc.org -- not us -- the DNS people), they are starting work on Bind 10.

There really isn't much information about Bind 10 at this time, however, it does have it's own webpage at the ISC.org site. 

Check out the page here.

Check out the press release here.

Join the Bind 10 Annoucement Mailing list, here.

 

-- Joel Esler

http://www.joelesler.net

http://www.twitter.com/joelesler

Keywords:
0 comment(s)
Diary Archives