[SVRT-08-08] Google Wap Proxy Vulnerability can be exploited by Hackers to attack Internet Users 1. General Information On 15 December 2008, SVRT-BKIS, from BKIS Center, has found a vulnerability in the Wap Proxy service of Google, which allows hackers to cheat Internet users. With this flaw, users are to think that they are using a trustworthy service supplied by Google while all their actions are actually performed on websites prepared by hackers. This means hackers can easily steal users' sensitive information. We have been warning of this hole to Google. Details : http://security.bkis.vn/?p=310 SVRT Advisory : SVRT-08-08 Initial vendor notification : 12-16-2008 Release Date : 12-27-2008 Update Date : 12-27-2008 Discovered by : Dau Huy Ngoc - SVRT-Bkis Security Rating : Critical Impact : Phishing Affected Software http://google.com/gwt/n ; http://wap.google.com/gwt/n Proof of concept: http://google.com/gwt/n?u=http://security.bkis.vn/Proof-of-concept/Google/GmailWap.htm Video Demonstration : You can download at http://security.bkis.vn/Proof-of-concept/Google/GoogleWapProxyVuln.wmv or view at http://www.youtube.com/watch?v=h654Cj-uRQY 2. Technical Description Google Wap Proxy, also known as Google Wireless Transcoder, is a service that helps translate the content of an arbitrary website into XHTML format suitable for Wap browsers on cell phones. Making use of this service, when users access the link http://google.com/gwt/n?u=[http://website] with their cell phones, the content displayed by the browsers will be translated from that of the website at [http://website]. However, if [http://website] is the address of a website prepared by a hacker, he/she can definitely take advantage of the service to deceive users. In order to perform the attack, a hacker creates a website with the interface similar to that of Google. Then he's/she's in some way sending users a link in the form http://google.com/gwt/n?u=[http://fake-google-website]. As this link starts with google.com or wap.google.com, domain of Google, users might think it is safe and follow all the operations arranged by hackers, which results in their losing sensitive information. In fact, if this service only translated and displayed contents of websites, there would be no flaw to be exploited by hackers. The Achilles' heel is that users can interact with the websites, in other words, they can still login, input personal information and credit card information. via Wap Proxy. If the website in effect is created by hackers, all users' actions will be saved on hackers' servers. And for this reason, the vulnerability is due to a design fault in Google Wap Proxy Service. We have tested it with a fake website that has the interface identical to the Gmail login page. When users login via the site, their accounts and passwords will be disclosed. Follow this link to check for the test: http://google.com/gwt/n?u=http://security.bkis.vn/Proof-of-concept/Google/GmailWap.htm This service supports cell phone users but due to the fact that the provided links could be both wap.google.com and google.com, it also affects all Internet users in general. 3. Solution Rating this vulnerability high severity, Bkis Center recommends that users: - Only log into their Gmail accounts at the address www.google.com/accounts. - Do not perform actions such as logging in, inputting sensitive information. when using Google Wap Proxy service. - Be cautious with strange links, even links starting with domain names of well-known organizations like Google, Yahoo!, and Microsoft. Credits Thanks to Dau Huy Ngoc for working together with us in the detection and alert process of this vulnerability. SVRT-Bkis _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/