Tag Archives: Google

google.com.bd is attacked using DNS poisoning

Posted on by
2

Just a few hours back, one of my old colleagues made a phone call to let me know that google has been hacked by a Bangladeshi guy. I was astonished to hear that thus couldn’t stop myselft to investigate further. First, when I tried http://www.google.com.bd it was ok. Then tried http://google.com.bd and yes, it has been hacked! The hacker has defaced the home page. Without being late I made a remote desktop connection to a PC which is located in australia. When I hit google.com.bd from there, it was redirecting me to www.google.com.bd one. This primary test make sure that it’s not a world wide problem. Then I asked few of my friends (who is under different network) to check whether this is particular to BD or not. One of them reported he found it ok. So, this is BD specific and some ISP specific. Finally running tracert command for both ensured that it’s a dns poising attack.

So, hackers have changed the ip address in the DNS servers (which translates a requested domain name into it’s corresponding ip address) for google.com.bd. However here is the tracert result:

Tracing route to www.google.com [74.125.230.81]over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.0.1
2 3 ms 2 ms 3 ms 114.130.35.65
3 5 ms 5 ms 2 ms 114.130.8.113
4 4 ms 4 ms 6 ms 169.dhk-peer.mango.com.bd [114.130.3.169]
5 6 ms 7 ms 4 ms gi1-3.gsr-7609.dhk-gsr-01.mango.com.bd [114.130.1.13]
6 152 ms 150 ms 151 ms pos12-1-0.palermo7.pal.seabone.net [195.22.198.157]

7 199 ms 197 ms 196 ms 72.14.198.233
8 197 ms 195 ms 195 ms 72.14.198.233
9 177 ms 178 ms 178 ms 216.239.47.128
10 190 ms 186 ms 187 ms 209.85.249.234
11 192 ms 193 ms 194 ms 72.14.233.104
12 194 ms 195 ms 195 ms 64.233.175.115
13 198 ms 194 ms 198 ms 74.125.230.81
Trace complete

Tracing route to google.com.bd [173.233.68.2]over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 192.168.0.1
2 2 ms 3 ms 2 ms 114.130.35.65
3 3 ms 3 ms 2 ms 114.130.8.113
4 3 ms 3 ms 4 ms 169.dhk-peer.mango.com.bd [114.130.3.169]
5 6 ms 5 ms 4 ms gi1-2.gsr-7609.dhk-gsr-01.mango.com.bd [114.130.1.9]
6 151 ms 150 ms 151 ms pos12-1-0.palermo7.pal.seabone.net [195.22.198.157]

7 189 ms 215 ms 189 ms xe-5-0-0.franco31.fra.seabone.net [195.22.211.221]
8 326 ms 324 ms 325 ms global-crossing.franco31.fra.seabone.net [89.221.34.110]
9 369 ms 371 ms 365 ms turnkey-internet.so-5-1-2.ar4.jfk1.gblx.net [64.215.182.250]
10 330 ms 331 ms 331 ms jm20-ny1-ge-1-3-0.turnkeyinternet.net [64.128.116.2] .
11 331 ms 333 ms 332 ms c6509-ny1-i12ge50.turnkeyinternet.net [208.85.1.14]
12 390 ms 369 ms 401 ms webserver24.turnkeywebspace.com [173.233.68.2]
Trace complete.

New redirection attack in google using its own URL shortener service

Posted on by
2

While toying with a bug in Google signup page, suddenly found a security hole related to redirection attack combining Google sign in page and goo.gl (URL shortener) service. Provably you have noticed that if you are not logged in your Gmail account already and hit the http://www.gmail.com page in the browser’s address bar, it is redirected to something like:

https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1eic6yu9oa4y3&scc=1&ltmpl=default&ltmplcache=2

Notice that the above location has a ‘continue’ parameter which basically assists the user to redirect in the given location. I tried to tamper this location, when I put different domain (which Google does not own) it shows an error like: “The page you requested is invalid.” I tried with some domain which Google owns, it works then fine. Suddenly I remembered the giant’s new service http://goo.gl and just thought an idea which finally worked.

First of all I created a sign up page which is similar to Gmail Sign up page and then hosted it in my domain.  I shortened the URL using goo.gl which becomes http://goo.gl/mRIl. As the ‘continue’ parameter only allows Google’s domain, I used it in the following manner:

https://www.google.com/accounts/Login?continue=http%3A%2F%2Fgoo.gl%2FmRIl&service=mail&type=3

Now if you hit the above URL, you will see the Google’s actual login page and then if you provide your valid credential and hit the ‘Sign in’ button, you will be redirected to my Phished page which is identical to Google’s login page. Don’t fear at all, I am not collecting your credentials. It’s just a proof of concept how the new redirection attack can be used by the hackers to compromise your Gmail credential.