Billy (BK) Rios » Stealing Pictures with Picasa

Monday, September 24th, 2007

Stealing Pictures with Picasa

In celebration of our acceptance to Black Hat Japan, we’ve decided to post the details on our Picasa exploit which allows an attacker to steal images from victims. Perhaps this should be the month of Google flaws considering our posts in this previous week and some of the posts that are on their way in the next week or two.

If you’ve read our previous post Say Cheese! then you know that Google’s Picasa registers the picasa:// URI in the Windows registry and it is possible to abuse this registered URI through a Cross-Site Scripting exposure to steal a victim’s images. My personal feeling on this issue is that it represents a HUGE privacy breach for users of Picasa. Ok, so without further dramatic build-up, you can find the gory details here and you can find the source code we use for the exploit here.

Posted by xssniper | Filed in Security

http://www.gnucitizen.org pdp

very interesting concept!!! nice
Pingback: hackademix.net » GoogHOle (XSS pwning GMail, Picasa and almost 200K customers)
Pingback: DigitMemo.com » Multi Google Security Holes Revealed
http://www.awesomeandrew.net Awesome AnDrEw

It is way more work than I could say I would ever think of doing, but the proof of concept was very nice work. I love how you always tie everything together like that.
sjovan

and then you install linux and stop bothering about stuff like this. good application btw
http://xs-sniper.com Nathan McFeters

Actually sjovan, there’s a high likelihood this is vulnerable in Nix too, or at the very least attacks like it. I’ve mentioned numerous times now that *Nix has registered URI’s as well.

This is one of my favorite attacks that we’ve pulled off. Lot’s of dynamic pieces.
rcarter

yeah, i’m pretty happy with how it turned out too. the PoC is finally functioning correctly. the thing that was the toughest to get working reliably was the dns rebinding/anti-dns pinning. from everything i’ve read, flash does dns binding and *should* respect the ttl it receives but doesn’t seem to. by comparison the rest was pretty easy.
Pingback: Nuove vulnerabilità per i servizi Google « APNIBI blog
Pingback: A rough week for Google security — Security Bytes
Pingback: Info World » Blog Archive » Microsoft to fix Window’s URI security flaw after criticism
Pingback: Info World » Blog Archive » Microsoft bows to criticism, will fix Window’s URI security flaw
http://tssci-security.com Marcin

Hey Nate.. we met at San Diego airport and talked for a bit. We were both headed to Phoenix. Anyways, I couldn’t find an email address and I didn’t want to go “searching” for one, so I thought I’d post a comment here and hope you would respond to the email address I left. You can delete this comment
Pingback: Ryan Naraine’s Zero Day mobile edition