tag:blogger.com,1999:blog-13756280.post941617199300316238..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: I used to know what you watched, on YouTubeJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-13756280.post-36107926755206977992009-11-16T13:19:11.302-08:002009-11-16T13:19:11.302-08:00I would like to know what/if Apple's Mobile Me...I would like to know what/if Apple's Mobile Me mail has CSRF protection.<br />I pay about $100 bucks a year for my email account because I figured it was very secure and I could never lose my account as I use it for my business.<br /><br />So, does this mean Google gmail is more Secure than Apple's Mobile Me mail?<br /><br />Thanks in advance for any answer to this question.Alida Antonia Corneliushttps://www.blogger.com/profile/01353305737429264454noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-38985889655206314552008-10-06T05:33:00.000-07:002008-10-06T05:33:00.000-07:00how did u src the swf object. I copied the downloa...how did u src the swf object. I copied the download url location of a swf att, used param object embed stuff, but swf ile didn't execute the js code that was inside the flash fileAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-85812248931061349752008-09-27T14:06:00.000-07:002008-09-27T14:06:00.000-07:00Very useful blog. Thanks for sharing Jeremiah.i cr...Very useful blog. <BR/>Thanks for sharing Jeremiah.<BR/>i create a link in my blog, <BR/><BR/><BR/>Msherm<BR/>http://illshare.wordpress.comgolabihttps://www.blogger.com/profile/07875022915864419494noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-79403351982728727562008-09-20T19:14:00.000-07:002008-09-20T19:14:00.000-07:00ohh... your great man. !!!ohh... your great man. !!!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-2781759981496477032008-09-20T09:05:00.000-07:002008-09-20T09:05:00.000-07:00@Nate/Billy, thanks guys. So much research around ...@Nate/Billy, thanks guys. So much research around the same areas. Just fitting the pieces together in interesting ways.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-9327982827677377142008-09-20T09:04:00.000-07:002008-09-20T09:04:00.000-07:00@kuza55, I think this keeps happening to you. I m...@kuza55, I think this keeps happening to you. I might have to run my exploit blog posts by you from now off for a sanity check. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-78072769605583596272008-09-19T00:52:00.000-07:002008-09-19T00:52:00.000-07:00Cool shit man!Rios and I found some stuff similar ...Cool shit man!<BR/><BR/>Rios and I found some stuff similar to this that we talked about at DEFCON 15 (Biting the Hand That Feeds You), but this is a real interesting vector you leveraged there. It's also fairly similar to other content ownership issues that have been discussed, really it's things like this that led to the ideas for the GIFAR stuff.<BR/><BR/>I think you and I talked about how PDP and I talked about the GIFAR thing and realized we had went slightly different directions with the same thing. I find it real interesting how often people find their ideas intersecting on this stuff. We didn't get time to have our meeting at Vegas, but we should get a handful of minds together and talk about some of this stuff in the future, see what comes out of it.<BR/><BR/>That said, since you, Kuza, Rios and I have all found similar flaws with this, I couldn't help but point to a rap song that Rios and I wrote back in 1994 that claims our legtimacy to the pwnership of this research... here it goes:<BR/><BR/>"Listen close as life turns its pages McNasty here kickin rhymes for the ages <BR/><BR/>See things is changin<BR/>Wise words spoken by sages<BR/><BR/>From Skytel to Blackberry pagers<BR/>Your crew dont phase us<BR/><BR/>We'll make you busters pay us<BR/>Run up in yo spot like CJ from San Andreas<BR/><BR/>Rios and I wrote this sploit a long time ago<BR/>A real long time ago, can ya FEEL ME?<BR/>We wrote this sploit a long time ago<BR/>It was the dopest sploit that we wrote, back in 94"<BR/><BR/>Ok, I'm just kidding, we didn't write the sploit back in '94. And I didn't write that rap either. It came from Chappelle show... go watch that shit if you haven't seen it, it's hilarious.<BR/><BR/>Good stuff JG, peace!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1700125855364841982008-09-18T18:41:00.000-07:002008-09-18T18:41:00.000-07:00Sweet! I talked about using CSRF to login to some...Sweet! I talked about using CSRF to login to someone's gmail acct and pull an attachment at DEFCON 15(Biting the Hand That Feeds You), but I wasn't creative enough to pull off an attack like this! Great job and way to put the peices together!Billy (BK) Rioshttps://www.blogger.com/profile/01820491068076386444noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-55271262882193009202008-09-18T18:21:00.000-07:002008-09-18T18:21:00.000-07:00P.P.S Cool find though :) (Sorry, let my bitternes...P.P.S Cool find though :) (Sorry, let my bitterness get in the way of what I meant to say yet again), I honestly hadn't even considered using an essentially logged-out XSF (Stefano's term) to abuse trust policies, thanks for the info :Dkuza55https://www.blogger.com/profile/03932544559060480887noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-21405208594065176722008-09-18T18:17:00.000-07:002008-09-18T18:17:00.000-07:00Been there done that, got the tshirt will be prese...Been there done that, got the tshirt will be presenting lots of gmail 0day at Power of Community :p<BR/><BR/>Speaking of the login trick, why do I never get any credit for anything: http://kuza55.blogspot.com/2008/02/exploiting-csrf-protected-xss.html (I even spent a good portion of time explaining it at 24c3)<BR/><BR/>P.S. Damn Stanford team getting my gadgets 0day patched and not even knowing how to fully exploit it.kuza55https://www.blogger.com/profile/03932544559060480887noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-5540715430781729422008-09-18T17:40:00.000-07:002008-09-18T17:40:00.000-07:00very nice discovery man.very nice discovery man.Anonymousnoreply@blogger.com