
How Pwn2Own Was Almost Won Via XSS - ssclafani
http://jon.oberheide.org/blog/2011/03/07/how-i-almost-won-pwn2own-via-xss/
======
trotsky
Dear Google,

While I am impressed with the ease and speed the web market can install an
application on my phone (it seems to trigger basically instantaneously), I was
very dismayed at the security implications of this functionality. This example
is only one of a myriad of reasons I'd rather not have it enabled.

Please allow me to disable this functionality on the device itself (and not
just as an option accessible to my account on the web).

------
dtwwtd
I met Jon a few weeks ago and we talked about the possibility of this exploit.
At the time I didn't believe that the folks at Google would miss something
like this.

It just goes to show you can't be too careful when interacting with today's
cloud services.

~~~
marshray
I'm not sure this implicates cloud in particular.

I see it as a company that doesn't understand the difference between securing
an operating system and securing a website. Which is especially bad
considering the train wreck that is web security. Jon was apologetic that his
bug was so 'lame' since, unlike operating systems, the web was generally not
designed to be secure.

"Web security" in general depends on the secure behavior of the web browser,
which in turn depends on the security of the operating system, hardware, and
so on. If you reverse the arrows in the architecture, as Android appears to
have done with Marketplace, then the whole thing becomes much less stable.

~~~
dtwwtd
Yes of course not cloud in particular, but web services in general. It just
gave me pause because if Google messed this up, how many other services with
less man power that we trust with our data have similar vulnerabilities?

~~~
marshray
Approximately all of them.

IMHO, browsers' implementation of the web "security model" (I use the term
loosely) is not the thing to base the security of your entire architecture on.

But hey, who am I to argue with Google?

------
mustpax
Am I reading this right that there is absolutely no HTML escaping for app
descriptions on the Android Market? Seriously Google, like none?

~~~
beaumartinez
Remember when YouTube had a similar issue with <script> tags executing from
within comments?

~~~
nbpoole
It wasn't quite that simple ;-)

[http://www.reddit.com/r/programming/comments/cluc5/html_inje...](http://www.reddit.com/r/programming/comments/cluc5/html_injection_vulnerability_in_youtube_comments/)

The payload in the case of YouTube was only slightly more complex (two
<script> tags instead of one), but it sounds like the underlying cause was
very different.

\---

Many websites and web applications are vulnerable to XSS in one form or
another. The difference here, as people have pointed out, is the trust placed
in the site by Android. It's not very often that an XSS vulnerability can
execute arbitrary code on a remote system. :-P

~~~
Getahobby
I think the underlying cause was the same - unescaped output that was supplied
by the (malicious) user.

~~~
nbpoole
Mmm, from here it looks like YouTube had a sanitizer in place that failed:
it's not clear that the Android Market was sanitizing the output here. That's
what I meant by the underlying cause being different.

------
abraham
> Unfortunately, Google had significantly tightened things up and we’ve been
> unable to expose any additional XSS

I'm impressed that not only did Google fixing the vulnerability but they also
appears to have done a full security audit. To many companies would just fix
the known hole and leave it at that.

------
borski
This made my day. You'll often hear people exclaim that XSS vulnerabilities
don't matter because they're all client-side, but they are a means to an end.
They are but the tip of the iceberg; without the tip, the rest of the iceberg
is invisible.

