Goole WAP Open Proxy Vulnerability

2008-12-31T00:00:00
ID PACKETSTORM:73447
Type packetstorm
Reporter SVRT
Modified 2008-12-31T00:00:00

Description

                                        
                                            `[SVRT-08-08] Google Wap Proxy Vulnerability can be exploited by Hackers to   
attack Internet Users  
  
1. General Information  
On 15 December 2008, SVRT-BKIS, from BKIS Center, has found a vulnerability   
in the Wap Proxy service of Google, which allows hackers to cheat Internet   
users.  
  
With this flaw, users are to think that they are using a trustworthy service   
supplied by Google while all their actions are actually performed on   
websites prepared by hackers. This means hackers can easily steal users'   
sensitive information. We have been warning of this hole to Google.  
  
Details : http://security.bkis.vn/?p=310  
  
SVRT Advisory : SVRT-08-08  
Initial vendor notification : 12-16-2008  
Release Date : 12-27-2008  
Update Date : 12-27-2008  
Discovered by : Dau Huy Ngoc - SVRT-Bkis  
Security Rating : Critical  
Impact : Phishing  
Affected Software http://google.com/gwt/n ; http://wap.google.com/gwt/n  
  
Proof of concept:   
http://google.com/gwt/n?u=http://security.bkis.vn/Proof-of-concept/Google/GmailWap.htm  
  
Video Demonstration : You can download at   
http://security.bkis.vn/Proof-of-concept/Google/GoogleWapProxyVuln.wmv  
or view at http://www.youtube.com/watch?v=h654Cj-uRQY  
  
2. Technical Description  
Google Wap Proxy, also known as Google Wireless Transcoder, is a service   
that helps translate the content of an arbitrary website into XHTML format   
suitable for Wap browsers on cell phones.  
  
Making use of this service, when users access the link   
http://google.com/gwt/n?u=[http://website] with their cell phones, the   
content displayed by the browsers will be translated from that of the   
website at [http://website]. However, if [http://website] is the address of   
a website prepared by a hacker, he/she can definitely take advantage of the   
service to deceive users.  
  
In order to perform the attack, a hacker creates a website with the   
interface similar to that of Google. Then he's/she's in some way sending   
users a link in the form   
http://google.com/gwt/n?u=[http://fake-google-website]. As this link starts   
with google.com or wap.google.com, domain of Google, users might think it is   
safe and follow all the operations arranged by hackers, which results in   
their losing sensitive information.  
  
In fact, if this service only translated and displayed contents of websites,   
there would be no flaw to be exploited by hackers. The Achilles' heel is   
that users can interact with the websites, in other words, they can still   
login, input personal information and credit card information. via Wap   
Proxy. If the website in effect is created by hackers, all users' actions   
will be saved on hackers' servers.  
  
And for this reason, the vulnerability is due to a design fault in Google   
Wap Proxy Service. We have tested it with a fake website that has the   
interface identical to the Gmail login page. When users login via the site,   
their accounts and passwords will be disclosed. Follow this link to check   
for the test:   
http://google.com/gwt/n?u=http://security.bkis.vn/Proof-of-concept/Google/GmailWap.htm  
  
This service supports cell phone users but due to the fact that the provided   
links could be both wap.google.com and google.com, it also affects all   
Internet users in general.  
  
3. Solution  
Rating this vulnerability high severity, Bkis Center recommends that users:  
- Only log into their Gmail accounts at the address   
www.google.com/accounts.  
- Do not perform actions such as logging in, inputting sensitive   
information. when using Google Wap Proxy service.  
- Be cautious with strange links, even links starting with domain   
names of well-known organizations like Google, Yahoo!, and Microsoft.  
  
Credits  
Thanks to Dau Huy Ngoc for working together with us in the detection and   
alert process of this vulnerability.  
  
SVRT-Bkis  
  
  
  
`