I was doing some security research this morning and was quite alarmed to find out that SECURITY VENDORS are vulnerable to CSRF. DarkReading has the story here: CSRF Bug Runs Rampant

Being a curious person I thought I’d try to find some CSRF vulnerabilities of my own. I was shocked to find out that the most used search engine was vulnerable to CSRF! Using this vulnerability a malicious attacker can force people search for the word “balls” without explicit permission.
Normally blog.phishme.com believes in responsible disclosure and would never release a 0-day. Due to the urgency of this threat and details that must be disclosed to communicate about it we thought it best to forgo waiting 30 days for a vendor response. Due to the widespread use of google.com this information should be communicated immediately. Blog.phishme.com will be releasing 0-day proof-of-concept code in the advisory below:

———————————
Date: 6/28/2007
Advisory #: PHME-2007-01-BALLS
CVE #: CVE-NO-MATCH
06/28/2007 Vulnerability discovered on google.com
06/26/2007 blog.phishme.com releases advisory and POC 0-day code.

{ Introduction }
The popular internet search engine, “Google“, is vulnerable to cross site request forgery (CSRF) attack. This vulnerability would allow an attacker to force victims to search for the term ‘balls’.
Due to this class of exploits being relatively new, we suspect that there are other strings an attacker could force a search on, but we only tested the first thing that came to mind. Other search engines may be vulnerable but were not tested.

{ Risk }
blog.phishme.com used STRIDE and DREAD to classify this vulnerability as Medium Rare Risk.
This attack requires the attacker to know how to send URLs via instant messaging, email, or online forms.

• Alternate attack method #1: An attacker could call the victim and ask them to type the URL into their browser.
• Alternate attack method #2: An attacker could get a bumper sticker printed and affix it to their car. A curious victim would see this URL on the bumper sticker and type it in a browser when they get home.

{ Fix / POC code }
There is no fix or workaround at this time. A fully patched system running anti-virus and a firewall can still fall victim. Until this vulnerability closed, internet users all over the world may be forced to search for ‘balls’.
In the meantime, blog.phishme.com offers up steps users can take to safeguard themselves forceful balls searching. Please be aware that attackers are crafty so we might not be able to cover every potential vector.

• Users of google should be skeptical of email subjects that read: “Dude, you really have to check out this link, after that deep conversation we had last week I think this would really interest you: http://www.google.com/search?hl=xx-hacker&q=balls
• Internet users of google should be skeptical of instant messages or internet forums that read: “I was thinking about your problem and I think I found you the answer on this website: http://www.google.com/search?hl=xx-hacker&q=balls
• myspace.com users should be skeptical when their friends post a message that reads: “I’m glad you had a good time at my barbeque, here is that chocolate dessert recipe you wanted: http://www.google.com/search?hl=xx-hacker&q=balls

{ Advanced Exploitation }

Savvy internet users may not fall for the forceful ball search CSRF attack. Members of the security community would be even harder to trick. Crafty attackers may obfuscate this attack to evade IDS.

Demonstration POC Code:
Normal CSRF method: http://www.google.com/search?hl=xx-hacker&q=balls

Advanced IDS evasion Obfuscation method: http://www.google.com/search?hl=xx-hacker&q=%42%41%4C%4C%53
I will now demonstrate this attack in a skype chat room full of security experts in the fields of penetration testing, secure coding, and incident response:

{ Conclusion }

This is a damaging attack that may take some time to fix. Internet users should proceed with caution.
———————————

End Advisory.

* Google lawyers, this is a joke, don’t get excited.