ExtremeHacking
Today : | Time : | safemode : ON
> / Main Website / Cyber Surakha Abhiyan / Hackers Charity / Linkedin / facebook / twitter /
Name Author Perms Com Modified Label

Unmasking Google Users With a New Timing Attack Unknown rwxr-xr-x 0 9/11/2014

Filename Unmasking Google Users With a New Timing Attack
Permission rw-r--r--
Author Unknown
Date and Time 9/11/2014
Label
Action
Ethical Hacking Institute in Pune
./Arizona Team

Researcher has discovered a new Timing attack that could unmask Google users under some special conditions.

Andrew Cantino, the vice president of engineering at Mavenlink, detailed his attack in a blogpost st week. According to him, the attack could be used by an attacker to target a particular person or organization. A cyber criminal could share a Google document with an email address, un-checking the option by which Google sends the recipient a notification.


























TIMING ATTACK USED TO DE-MASK TOR USER’S IDENTITY

Now, using timing attack exploit technique, a cyber criminal could figure out when someone logged into any one of the shared addresses visits the their site, Cantino said. An attacker could even use this attack in spear phishing campaigns or even could unmask the identity of Tor users if they’re logged in to Google while using the Tor browser.

Timing attack can allow to unmask targeted Google users as they browse the web. Cantino said the attack is straightforward. For example, if I control a website and want to know when a particular user with a particular Gmail address visits my website, in this case, I could use the exploit technique to identify the identity of that targeted user, and that too without setting a cookie.

If the Google document is viewable by the visitor, it will take longer to load the resulting page than if the document is not viewable.

“Since the result isn’t an image, the onerror callback of the image is triggered in both cases, but we can record how long it takes from image instantiation to triggering of the onerror. This time will be greater when the document is accessible. In my experiments, loading took an average of 891ms when the document was available, but 573ms when it was not,” Cantino said.

In order to gain users’ trust and steal credentials, an attacker could even make use of a phishing page that looks just like it’s logged into the victim’s account. This type of targeting attack could also help to identify the Tor users, if they’re logged into their Google account.

TIMING ATTACK
For those who are not aware of Timing attack, Timing attack is a type of side channel attack where an attacker gains information from the implementation of a cryptosystem rather than from any inherent weakness in the mathematical properties of the system.






























Timing attacks exploit the timing variations in cryptographic operations. Because of performance optimizations, computations performed by a cryptographic algorithm often take different amounts of time depending on the input and the value of the secret parameter.

ISSUE REPORTED TO GOOGLE - NO FIX:

The issue was responsibly reported to Google Security team by Andrew Cantino, the vice president of engineering at Mavenlink. The search engine giant acknowledged the issue, but declined to fix it because the risk, both in terms of impact and difficulty of exploiting this against a large population, is low.

“I don't really disagree with them— this is hard to fix, and fairly theoretical,” said Cantino, who previously had been awarded a bug bounty from Google multiple times. “Still, I think this is an interesting example of a timing attack, and shows how hard these sorts of issues can be to avoid.”

www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune
 

Cyber Suraksha Abhiyan | Sadik Shaikh © 2015 Sadik Shaikh | CEH V9 | ETHICAL HACKING Course Training Institute in India-Pune
Extreme Hacking Template design by Sadik Shaikh | Cyber Suraksha Abhiyan