Cenzic 232 Patent
Paid Advertising
web application security lab

Hacking Matt Cutts - Death By 1000 Cutts Case Study

About once a month I get someone asking me why knowing what users are running is useful. People don’t seem to think reconnaissance is worth doing these days. I’ve heard people say things like, “Just try the attack and see if it works.” While sometimes it is totally worth just trying the attack in un-targeted attacks there are circumstances where that’s just not true. The first circumstance is where the attack takes a prohibitively large amount of resources. The second is where the attack leaves a big signature when it runs and you want to minimize that signature. The last, however, is the most interesting. The last is where I want to hack a single user, and I want to make it work the first time without fail. This is where recon is useful.

So I decided to pick a user out of the tens of thousands of people who have visited my site. As you all probably know by now, I’ve never been on super great terms with Google - it’s a long story that I’ll rant about over beers to almost anyone who asks. The point being I represent what we like to call a determined attacker. Not so much that I want to hack Google directly - that’s easy enough, but calling out their unofficial technology spokes person while making a point about how important recon is to web application security is the best of both worlds. So I picked Matt Cutts who runs the web-spam group at Google and who happens to be the person that SEO Blackhats most love to hate.

This case study has taken me a few months to put together, and I was thinking about releasing it at a conference at some point but why wait? I think it’s worthwhile to release it now before the noise of Bluehat, Blackhat and DefCon is upon us. In this case study that I’ve entitled Death by 1000 Cutts (as a jab at my own original case study entitled Death by 1000 Cuts) I take a series of extremely minor information disclosures in various ways to mount a really nasty attack where I steal files directly from his machine using anti-anti-anti DNS pinning against Google Desktop. Rather than type the whole thing out again, I encourage you to read it for yourself. I hope this at least partially puts to rest people’s resistance against recon and proves why recon is a powerful tool in a determined attacker’s arsenal.

15 Responses to “Hacking Matt Cutts - Death By 1000 Cutts Case Study”

  1. beNi Says:

    hihi, great story .
    I’m sorry for Matt ;-)

  2. Jordan Says:

    Aww, you just picked him because of the great pun with his last name. ;-)

    Nice writeup. I wonder if Matt’s busy installing NoScript? Or just rebuilding his machine and uninstalling google desktop?

  3. RSnake Says:

    Thank you Jordan, although the name was a shocking coincidence no, it really had nothing to do with it. I’m just glad I don’t have such a distaste for Yahoo’s business ethics otherwise it would have been Death by 1000 Zawodneys.

  4. Spider Says:

    Ok. You’ve convinced me. No more browsing your site or any other with anything other than lynx. You should never wait until you become a target to start hiding.

  5. Kyran Says:

    Spider, the only way to be safe on the internet, is to start browsing gopher sites. :P

    Anyways, I’m just as amazed at the simplicit, yet genious way this could have been executed as I was with the original Cuts paper.

  6. RSnake Says:

    @Spider - hahah… I’m thinking I might be able to find an exploit in wget, still haven’t found one in Lynx, but I haven’t been trying very hard. But trust me, if I wanted to mess with people I could, I really have no intention of hurting anyone who visits my site, including Matt Cutts.

    @Kyran - Thank you sir! I took a great deal of care in attempting a very direct attack rather than doing the round-about ways that include attacking sites that Matt Cutts uses.

  7. MORO Says:

    I only understood about half of it but…wow.

  8. Bojo Says:

    That was an awesome read.

    /me turns off javascript

  9. Awesome AnDrEw Says:

    Thorough, and interesting.

  10. beaule Says:

    thanks for details, very practical… very clear … nice :)

  11. FR3DC3RV Says:

    very interesting!

  12. Bally S Says:

    I gotta say What a joke by Matt. Everyone was totally fooled all the way. It was headlined every where on seo sites. But I didn’t even realize it was april the 1st.

  13. RSnake Says:

    @Bally S - I think you have this confused with Matt’s joke about hacking his own site. This was a theoretical example of how I’d hack Matt. Very different things.

  14. Wladimir Palant Says:

    RSnake, you want to get a distaste for Yahoo’s business ethics? Easy, read http://adblockplus.org/en/npYState - this thing has been a Firefox top crasher for at least a year. Note especially the “where did this come from and what is it good for” paragraph. That’s not the only example, just the one I analyzed in detail.

    Also, are you sure you need a nonce for an anti-DNS-pinning attack on Google Desktop? I never installed Google Desktop but I think that if you can read out the response from Google Desktop, you can just as easily load its start page into an iframe and read out the nonce from there (or simply submit the form with your parameters). And you can do the same with any application giving out sensitive information through a 127.0.0.1 web server. So Google merging web and desktop search isn’t the real problem in this case.

  15. RSnake Says:

    I’ll check it out.

    But yes, you absolutely need the nonce. There is no “start page” on Google Desktop, you have to find your way there either through clicking a link or going to the task bar, and that then pops up a page with a nonce in it.