Stories with Tag attack

• A phishing attack involving g.co, Google's URL shortener

  permalink

  Posted: 2025-01-24 03:38:46

  Verbose tl;dr

  A phishing attack leveraged Google's URL shortener, g.co, to mask malicious links. The attacker sent emails appearing to be from a legitimate source, containing a g.co shortened link. This short link redirected to a fake Google login page designed to steal user credentials. Because the initial link displayed g.co, it bypassed suspicion and instilled a false sense of security, making the phishing attempt more effective. The post highlights the danger of trusting shortened URLs, even those from seemingly reputable services, and emphasizes the importance of carefully inspecting links before clicking.

  This GitHub Gist details a sophisticated phishing attack leveraging the perceived trustworthiness of Google's URL shortening service, g.co. The attacker crafts a deceptive URL that, at first glance, appears legitimate due to the presence of "g.co." However, this URL cleverly exploits a specific vulnerability in how browsers handle Unicode characters.

  The core of the deception revolves around the use of a specific Unicode character, U+0300, known as the "combining grave accent." This character is designed to modify the preceding character by adding a grave accent mark. The attacker inserts this character after a Latin character that visually resembles a Cyrillic character used in the actual malicious domain. Specifically, the attacker uses a Latin "o" followed by the combining grave accent, which visually mimics the Cyrillic letter "о". While visually similar, these are distinct characters representing different underlying code points.

  The phishing URL begins with the legitimate "g.co" prefix, followed by a slash and then the deceptive domain. A user observing this URL might quickly recognize the "g.co" and assume the subsequent characters belong to a shortened Google link. However, the subtle substitution of the Cyrillic "о" with the Latin "o" combined with the grave accent creates a visually identical but functionally different domain name. This leads the user to a website controlled by the attacker, disguised as a legitimate Google service.

  The attacker further enhances the deception by potentially employing HTTPS and a valid SSL certificate on the malicious domain. This adds another layer of perceived legitimacy, as users are accustomed to associating HTTPS with secure and trustworthy websites.

  The Gist emphasizes the insidious nature of this attack, as it bypasses typical user vigilance and exploits the inherent trust placed in shortened URLs, especially those associated with reputable services like Google. It highlights the difficulty in visually detecting such character substitutions, which can easily deceive even cautious users. The author underscores the seriousness of this vulnerability by pointing out its potential to compromise user accounts and sensitive information if the user interacts with the fraudulent site, mistaking it for a legitimate Google service.

  • Phishing
  • g.co
  • Google
  • url shortener
  • Security
  • Cybersecurity
  • Fraud
  • online safety
  • link shortener
  • Malware
  • attack
  • internet safety

  Summary of Comments ( 76 )
  https://news.ycombinator.com/item?id=42810252

  Verbose tl;dr

  HN users discuss a sophisticated phishing attack using g.co shortened URLs. Several express concern about Google's seeming inaction on the issue, despite reports. Some suggest solutions like automatically blocking known malicious short URLs or requiring explicit user confirmation before redirecting. Others question the practicality of such solutions given the vast scale of Google's services. The vulnerability of URL shorteners in general is highlighted, with some suggesting they should be avoided entirely due to the inherent security risks. The discussion also touches upon the user's role in security, advocating for caution and skepticism when encountering shortened URLs. Some users mention being successfully targeted by this attack, and the frustration of banks accepting screenshots of g.co links as proof of payment. The conversation emphasizes the ongoing tension between user convenience and security, and the difficulty of completely mitigating phishing risks.

  The Hacker News thread discussing the phishing attack involving g.co has a significant number of comments exploring various facets of the issue. Several commenters express surprise and concern that Google's own URL shortener was leveraged in this attack, highlighting the perceived irony and the potential erosion of trust. Some discuss the technical mechanics of how the attack likely worked, including the use of Unicode characters to create lookalike domains or exploiting vulnerabilities in open redirects.

  A recurring theme is the difficulty in identifying phishing attempts, especially with shortened URLs. Commenters debate the responsibility of URL shorteners in preventing such abuse and whether Google should implement stricter validation or warning systems for g.co links. Some suggest alternative approaches, such as displaying the full target URL on hover or requiring explicit user confirmation before redirecting.

  Several users share their personal experiences with similar phishing attacks, emphasizing the increasing sophistication of these schemes. Some discuss the limitations of current security measures, including email filters and browser protections, and the need for greater user education and awareness. The role of two-factor authentication is also discussed, with some arguing that it would have mitigated the effectiveness of this specific attack.

  A few commenters dive into the legal and ethical implications of using g.co for phishing, questioning Google's liability and potential responses to the issue. They also explore the broader implications for URL shorteners and the challenges in balancing usability with security. Some express skepticism about the long-term viability of URL shortening services in light of these security concerns.

  A smaller subset of the comments offer technical advice on how to identify and avoid phishing attempts, including checking the full URL, being wary of suspicious emails, and enabling stronger security settings. There's also some discussion of the potential for browser extensions or other tools to help users identify potentially malicious shortened URLs.

  Finally, a few commenters offer more cynical perspectives, suggesting that such attacks are inevitable and that users should ultimately be responsible for their own security. Some express resignation to the constant threat of phishing and the difficulty in completely eradicating such scams.

• 0-click deanonymization attack targeting Signal, Discord, other platforms

  permalink

  Posted: 2025-01-21 14:59:44

  Verbose tl;dr

  A security vulnerability, dubbed "0-click," allowed remote attackers to deanonymize users of various communication platforms, including Signal, Discord, and others, by simply sending them a message. Exploiting flaws in how these applications handled media files, specifically embedded video previews, the attacker could execute arbitrary code on the target's device without any interaction from the user. This code could then access sensitive information like the user's IP address, potentially revealing their identity. While the vulnerability affected the Electron framework underlying these apps, rather than the platforms themselves, the impact was significant as it bypassed typical security measures and allowed complete deanonymization with no user interaction. This vulnerability has since been patched.

  A newly disclosed vulnerability, dubbed the "0-click deanonymization attack," poses a significant threat to user privacy on several popular communication platforms, including Signal, Discord, and others employing WebRTC, a real-time communication technology. This attack exploits a subtle flaw in the way these platforms handle IP address leaks within WebRTC connections, allowing a malicious actor to uncover the IP address of a target user without any interaction from the target—hence the "0-click" designation.

  The exploit leverages Session Traversal Utilities for NAT (STUN) and Interactive Connectivity Establishment (ICE) servers, integral components of WebRTC's functionality. These servers facilitate the establishment of peer-to-peer connections by assisting clients in discovering their public IP addresses and traversing network address translation (NAT) gateways. Normally, these IP addresses are exchanged between communicating parties. However, the vulnerability arises from the fact that these platforms inadvertently expose IP addresses to STUN/ICE servers even before a connection is fully established, and crucially, even if the target user declines or ignores a call.

  The attacker initiates a WebRTC connection request to the target user. Even if the target doesn't accept the call, the target's client still interacts with the STUN/ICE servers, revealing its IP address in the process. The attacker, by controlling or monitoring the STUN/ICE server, can passively intercept this communication and capture the target's IP address. This allows for deanonymization, linking the target's online identity on the platform to their real-world location and potentially revealing their true identity.

  This vulnerability is particularly insidious because it requires no action from the target user. Merely receiving a connection request, even an ignored or rejected one, is sufficient for the attack to succeed. This bypasses traditional defenses against IP address leaks, such as disabling WebRTC entirely or using VPNs, as the leakage occurs before these protective measures can effectively intervene. While VPNs might mask the true IP address, the timing correlation between the call attempt and the observed IP address on the VPN server could still provide valuable information to a determined attacker.

  The technical details of the exploit involve manipulating the JavaScript execution within the target's browser to control the flow of WebRTC negotiation and observe the STUN/ICE server interactions. The author of the disclosure emphasizes the simplicity of the attack and its broad applicability to any platform utilizing WebRTC without adequate safeguards. The potential consequences of this vulnerability are serious, ranging from targeted harassment and doxing to large-scale surveillance and privacy breaches.

  • signal
  • Discord
  • deanonymization
  • privacy
  • Security
  • Vulnerability
  • attack
  • metadata
  • 0-click
  • Exploit
  • IP address
  • online privacy
  • communication platforms
  • messaging apps

  Summary of Comments ( 294 )
  https://news.ycombinator.com/item?id=42780816

  Verbose tl;dr

  Hacker News commenters discuss the practicality and impact of the described 0-click deanonymization attack. Several express skepticism about its real-world applicability, noting the attacker needs to be on the same local network, which significantly limits its usefulness compared to other attack vectors. Some highlight the importance of the disclosure despite these limitations, as it raises awareness of potential vulnerabilities. The discussion also touches on the technical details of the exploit, with some questioning the "0-click" designation given the requirement for the target to join a group call. Others point out the responsibility of Electron, the framework used by the affected apps, for not sandboxing UDP sockets effectively, and debate the trade-offs between security and performance. A few commenters discuss potential mitigations and the broader implications for user privacy in online communication platforms.

  The Hacker News post titled "0-click deanonymization attack targeting Signal, Discord, other platforms" generated a significant discussion with a variety of comments. Several commenters focused on the technical aspects of the exploit, highlighting how seemingly innocuous features like generating link previews could be manipulated to leak IP addresses. There's a strong consensus that the core issue stems from servers fetching content from user-supplied URLs without proper safeguards.

  Some commenters questioned the "0-click" nature of the attack, arguing that a user still needs to engage with a message containing a malicious link, even if they don't explicitly click it. Others pointed out that the practicality of the attack is limited by the need for the attacker to control a server capable of logging IP addresses connecting to it.

  The discussion also touched upon the responsibility of different platforms. Some commenters argued that platforms like Signal and Discord should have implemented better protections against this type of attack, while others emphasized that the underlying issue lies with the broader ecosystem of link previews and the lack of standardized security measures.

  A few commenters provided technical insights into potential mitigations, including the use of proxy servers for fetching previews and stricter validation of URLs. The feasibility and potential downsides of these solutions were also debated.

  Some users shared anecdotal evidence of similar attacks or vulnerabilities they've encountered in the past, reinforcing the concern about the potential for abuse of link preview functionality.

  Finally, there was some discussion about the ethical implications of researching and disclosing such vulnerabilities, with opinions varying on the responsible approach to handling such sensitive information. The overall sentiment seems to be one of concern about the potential privacy implications of this attack vector and the need for a broader industry response to address the underlying issues.