Wednesday, July 3, 2013

Exploiting Blogger For Passwords

Disclaimer: I do not recommend doing this, and I am not responsible for any trouble you get in for doing this. This post is for educational purposes only. ETC ETC

While working on my site I stumbled upon a way one could harvest Google account passwords from a simple blog account. By setting up a Blogger page, you have the option to include a Google Friend Connect "Join this site" button widget complete with profile pictures of other members who have joined the site.

Look familiar?

At first, I was hesitant to post this, because this site uses the Google Friend Connect widget. Then I realized that no one has used to feature in almost a year, and that the number of users using the service have dropped off, while traffic to the site remained steady. That doesn't mean one could do this with any other sort of connect feature websites often have (Facebook, Reddit, etc).  Pointing out such flaws will hopefully make such services much more secure in the future, as it will hopefully be corrected in some way.

Clicking on the blue button prompts the user to input a Google, Twitter, or Yahoo account login and password. By simply misdirecting the path of the follow URL, one could then spoof the login page so that the information entered follows through to  malicious site. All one has to do is replicate the Google service login popup. No URL is displayed during the whole process.

Such a method has been used before. Mistyping the Craigslist URL might bring you to a page notifying you that you need to update your version of Adobe Flash. Everything from the color scheme used, the font, and the installer are all reminiscent of what Adobe uses for their flash program.

uh oh...

Of course, the URL should be a giant red flag! Following through with the install will almost certainly lead to viruses/maleware/adware. Another approach of this technique is exploited by the torpig botnet. Which university researches were able to take control of. THey learned that the botnet was spoofing online banking logins for major banks on the infected computers, then sending the login information to whoever owned the botnet. Pretty scary stuff.

No comments:

Post a Comment