Description: Presentation Materials: http://conference.hitb.org/hitbsecconf2012ams/materials/
In the past, researchers who reported security-bugs feared that the companies affected wouldn't take this report in a positive way, and could have possibly run into legal issues with that vendor. This has changed when vendors started crediting researchers (Microsoft and others) for finding bugs (and it's considered an honor), and now, paying for discovered bugs is almost a standard (Mozilla, Google, Facebook and others).
With this in mind, we decided to assess Google and analyze what kind of bugs the all-mighty Google would suffer from. We've spotted and observed tens of security gaps which could have been used to attack a targeted person who's using Google's services (who doesn't?), or remote attacks that could be used to gain elevated permissions in Google's services (people's life projects could have been ruined by crafting a few packets).
We did a background check on Google's services and decided where we want to assess first based on our instincts and previous experience with similar systems. We checked what Google had acquired (http://en.wikipedia.org/wiki/List_of_acquisitions_by_Google) and analyzed the odds of finding security gaps in each of these services. After multiple assessments and checks, we gained a much better understanding of what they are missing during internal security reviews and focused on those aspects. Like mentioned above, approximately 100 bugs were reported, including many which we classified as critical bugs that could allow a malicious user to take control over your account -- without your approval.
In this presentation we will present the key aspects of assessing such bounty program and focus on most interesting and complex bugs found. In addition, exclusively for HITB attendees, we will introduce new bugs that were never discussed/shown before.
ABOUT ITZHAK 'ZUK' AVRAHAM
Itzhak Avraham (Zuk) is a Security Expert who has done a wide variety of vulnerability assessments. Zuk worked at the IDF as a Security Researcher. Proud Founder of zImperium, from the creators of ANTI (Android Network Toolkit). He's a proud holder of a SVC card that is in the possession of elite researchers such as Matt Swich and really dislikes writing about himself in the third person. Zuk can be found on his personal hacking related blog at http://imthezuk.blogspot.com & on Twitter as @ihackbanme
ABOUT NIR GOLDSHLAGER
Nir Goldshlager -- Nir is a known security researcher with more than 12 years of extreme web applications assessments, Nir found many high vulnerabilities in every big-scale website that exists today (Google, Paypal, Ebay, Twitter, Amazon, etc), Nir also listed in Google Security Sustained Support for many bugs findings. Nir is a Senior Researcher at zImperium. Nir can be found on twitter @Nirgoldshlager and on his personal blog: http://www.nirgoldshlager.com
Tags: securitytube , hack in the box , hacking , hackers , information security , convention , computer security , HITB 12 , HITB-2012 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.