Monday, September 24th, 2007

Stealing Pictures with Picasa

In celebration of our acceptance to Black Hat Japan, we’ve decided to post the details on our Picasa exploit which allows an attacker to steal images from victims.  Perhaps this should be the month of Google flaws considering our posts in this previous week and some of the posts that are on their way in the next week or two.

   

If you’ve read our previous post Say Cheese! then you know that Google’s Picasa registers the picasa:// URI in the Windows registry and it is possible to abuse this registered URI through a Cross-Site Scripting exposure to steal a victim’s images.  My personal feeling on this issue is that it represents a HUGE privacy breach for users of Picasa. Ok, so without further dramatic build-up, you can find the gory details here and you can find the source code we use for the exploit here.

Posted by xssniper | Filed in Security


13 Responses to “Stealing Pictures with Picasa”

  1. September 24th, 2007 at 2:32 am

    pdp said:

    very interesting concept!!! nice

  2. September 24th, 2007 at 6:40 am

    hackademix.net » GoogHOle (XSS pwning GMail, Picasa and almost 200K customers) said:

    [...] Rios and Nate McFeters revealed the gory details of their already announced Picasa exploit, leveraging a clever combo of XSS, Cross Application Request Forgery, Flash same domain policy [...]

  3. September 24th, 2007 at 3:15 pm

    DigitMemo.com » Multi Google Security Holes Revealed said:

    [...] Picasa exploit with detail, leveraging a clever combo of XSS, Cross Application Request Forgery, Flash same domain [...]

  4. September 25th, 2007 at 4:05 pm

    Awesome AnDrEw said:

    It is way more work than I could say I would ever think of doing, but the proof of concept was very nice work. I love how you always tie everything together like that.

  5. September 25th, 2007 at 4:59 pm

    sjovan said:

    and then you install linux and stop bothering about stuff like this. good application btw :)

  6. September 25th, 2007 at 8:34 pm

    Nathan McFeters said:

    Actually sjovan, there’s a high likelihood this is vulnerable in Nix too, or at the very least attacks like it. I’ve mentioned numerous times now that *Nix has registered URI’s as well.

    This is one of my favorite attacks that we’ve pulled off. Lot’s of dynamic pieces.

  7. September 26th, 2007 at 8:21 am

    rcarter said:

    yeah, i’m pretty happy with how it turned out too. the PoC is finally functioning correctly. the thing that was the toughest to get working reliably was the dns rebinding/anti-dns pinning. from everything i’ve read, flash does dns binding and *should* respect the ttl it receives but doesn’t seem to. by comparison the rest was pretty easy.

  8. September 26th, 2007 at 9:02 am

    Nuove vulnerabilità per i servizi Google « APNIBI blog said:

    [...] scripting bug affligge invece il servizio aziendale Google Search Appliance mentre Google Picasa risulta essere vulnerabile ad un exploit in grado di permettere ad un cracker di prelevare delle immagini [...]

  9. September 27th, 2007 at 6:12 pm

    A rough week for Google security — Security Bytes said:

    [...] A Picasa exploit discovered by researchers Billy Rios and Nate McFeters that leverages a combination of XSS, cross [...]

  10. October 11th, 2007 at 5:15 am

    Info World » Blog Archive » Microsoft to fix Window’s URI security flaw after criticism said:

    [...] example, it would be impossible for Microsoft to fix a recent Picasa flaw discovered by McFeters and Researcher Billy Rios. "The Picasa flaw is based on the [...]

  11. October 11th, 2007 at 11:47 am

    Info World » Blog Archive » Microsoft bows to criticism, will fix Window’s URI security flaw said:

    [...] example, it would be impossible for Microsoft to fix a recent Picasa flaw discovered by McFeters and Researcher Billy Rios. "The Picasa flaw is based on the [...]

  12. October 29th, 2007 at 11:58 am

    Marcin said:

    Hey Nate.. we met at San Diego airport and talked for a bit. We were both headed to Phoenix. Anyways, I couldn’t find an email address and I didn’t want to go “searching” for one, so I thought I’d post a comment here and hope you would respond to the email address I left. You can delete this comment

  13. November 23rd, 2007 at 8:18 pm

    Ryan Naraine’s Zero Day mobile edition said:

    [...] Unfortunately, URIs are also accessible to attackers through cross-site scripting (XSS), so an attacker can XSS a Picasa user, load Flash which doesn’t do DNS pinning (this JUST missed our list), and then steal the user’s images without any interaction or confirmation. [...]



Please leave a Comment