today following my previous post: “Google Feature of Bug?” I want to explain my attack on Google reputation. Google has been already warned about this attack ( several days ago, actually I believe even before posting “Google Feature or Bug”) I received the bug confirmation and the email saying they are working on this issue. So now I feel free to public it.
Some notes on reputation systems:
A reputation system computes and publishes reputation scores for a set of objects (e.g. service providers, services, goods or entities) within a community or domain, based on a collection of opinions that other entities hold about the objects. The opinions are typically passed as ratings to a reputation center which uses a specific reputation algorithm to dynamically compute the reputation scores based on the received ratings.
Entities in a community use reputation scores for decision making, e.g. whether or not to buy a specific service or good. An object with a high reputation score will normally attract more business that an object with a low reputation score. It is therefore in the interest of objects to have a high reputation score.
Since the collective opinion in a community determines an object’s reputation score, reputation systems represent a form of collaborative sanctioning and praising. A low score represents a collaborative sanctioning of an object that the community perceives as having or providing low quality. Similarly, a high score represents a collaborative praising of an object that the community perceives as having or providing high quality. Reputation scores change dynamically as a function of incoming ratings. A high score can quickly be lost if rating entities start providing negative ratings. Similarly, it is possible for an object with a low score to recover and regain a high score.
After these readings you probably would know that reputation attacks, especially if applied to high reputation systems (like for example Google), might be twice effective:
First. Users who trusting to the attacked domain will fall into attacks as much as the attacked domain is trusted.
Second. The attacked domain will loose reputation as much as users fell into the attack.
An attacker might abuse of the Google reputation (please note the Google logo and the Google domain ) by adding a fake “You-WIN-click here!” banner through the following link (the following link is just an example not the real link I’ve used to generate screenshots)
The attacked user, trusting the Google’s logo and trusting the Google’s domain, might think that the crafted banner is real (because Google said: you’ve just won) and he might click on it.
By clicking on the faked banner the user could be redirected to a malicious page as the following image shows.
I want to be clear, this is not a direct XSS attack on Google, but it uses Google as a XSS launcher platform. Basically we are in front of a great example of reputation attack, made by using one of the most trusted domain ever: Google.com.