[Owasp-ireland] Fwd: Breaking Google Gears' Cross-Origin Communication Model

davidrook david.rook at realexpayments.com
Tue Dec 9 08:55:30 EST 2008


Conor and I were barking up the right tree then!

Dave

Eoin wrote:
> ---------- Forwarded message ----------
> From: Yair Amit <AMITYAIR at il.ibm.com>
> Date: 2008/12/8
> Subject: Breaking Google Gears' Cross-Origin Communication Model
> To: webappsec at securityfocus.com
>
>
>
> Hello,
>
> I recently discovered a flaw in the cross-origin communication security
> model of Google Gears that could allow attackers to break-out of the
> same-origin policy and mount large scale user-impersonation attacks under
> certain conditions.
>
> After coordinating a fix with Google, I can now reveal the full details.
> You are invited to read them at
> http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html
> .
>
> To make sure you are secure, it is advisable to verify that you have the
> latest version of Google-Gears (currently 0.5.4.2) installed on your
> system. If that is not the case, it can be obtained from the Google Gears
> website (http://gears.google.com).
>
> I would like to thank the Google Gears security team for their quick
> responses and the efficient way in which they handled this security issue.
>
> Best Regards,
>      Yair Amit
>      Senior Security Researcher
>      IBM Rational Application Security
>
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web
> application security assessments should be considered a crucial phase in the
> development of any web application. What methodology should be followed?
> What tools can accelerate the assessment process? Download this Whitepaper
> today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>
>
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>   

-- 
David Rook | david.rook at realexpayments.com
Security Analyst

Realex Payments
Enabling thousands of businesses to sell online.

Castlecourt, Monkstown Farm, Monkstown, Co Dublin, Ireland
|t: +353 1 2808559 | f: +353 1 2808538  | www.realexpayments.com 

1 Lyric Square, London W6 0NB
t: +44 203 1785370 | f: +44 207 6917264  | www.realexpayments.co.uk 

27 avenue de l'Opéra, 75001 Paris. 
t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51

Visit our other Realex Payments websites: 
www.airlinepayments.com 
www.sepa.ie 

Pay and Shop Limited, trading as Realex Payments has its registered office at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is registered in Ireland, company number 324929. 

This mail and any documents attached are classified as confidential and are intended for use by the addressee(s) only unless otherwise indicated. If you are not an intended recipient of this email, you must not use, disclose, copy, distribute or retain this message or any part of it. If you have received this email in error, please notify us immediately and delete all copies of this email from your computer system(s).



More information about the Owasp-ireland mailing list