On mySimon: Hoover Porta Power Vaccum
BNET Business Network:
BNET
TechRepublic
ZDNet

March 4th, 2009

Google downplays severity of Gmail CSRF flaw

Posted by Dancho Danchev @ 2:44 pm

Categories: Browsers, Data theft, Google, Hackers, Passwords, Phishing, Spam and Phishing, Web 2.0

Tags: Security, Google Inc, Gmail, CSRF, XSS, Cross Site Request Forgery, Dancho Danchev

Yesterday, Vicente Aguilera Diaz from Internet Security Auditors released proof of concept of a CSRF (Cross-Site Request Forgery) vulnerability in Google’s Gmail, which he originally communicated to Google two years ago. The CSRF flaw affects Gmail’s “Change Password” function, since according to Diaz the session cookie is automatically sent by the browser in every request making the attack possible.

Google’s response came fast, and it’s in the form of - “We do not consider this case to be a significant vulnerability.” :

We’ve been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user’s password within the period that the user is visiting a potential attacker’s site,” the spokesperson said. “DespiteĀ  the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue. We always encourage users to choose strong passwords, and we have an indicator to help them do this.

Compared to the futile password guessing attempts in order to execute the attack, nothing can replace flaw-independent approaches like social engineering. From a pragmatic perspective, malicious attackers have an extensive number of tactics to chose from if they were trying to obtain your Gmail password. Starting from plain simple phishing campaigns, and going to a more efficiency-centered approaches - remember the G-Archiver fiasco?

Google’s most recently fixed flaws across its web properties include October 2008’s cross domain frame injection vulnerability, November 2008’s XSS in Google’s accounts SSL login page, and January 2009’s Google sites reflective cross-site scripting flaw.

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 10 Talkback(s)
Why webmail?
So, what is it about web mail that people like? You can access your gmail account via POP3 or IMAP, with TLS and SSL encryption of the whole session. What's not to like?... (Read the rest)
Posted by: JDThompson Posted on: 03/06/09 You are currently: a Guest | | Terms of Use
Only a fool uses this...  Christian_<>< | 03/04/09
It's ME culture  Col Mustard | 03/04/09
ROFL  theoxygenthief | 03/05/09
It might be because hackers from Europe and the US  GuidingLight | 03/05/09
Paranoia  theoxygenthief | 03/06/09
Your data has been available (for sale) since the 1980's.  B.O.F.H. | 03/05/09
Now that the obligatory postings informing us that those  mhenriday | 03/05/09
Waaaay too much to ask  theoxygenthief | 03/05/09
Insert obligatory rant here  daniel.crompton@... | 03/05/09
Why webmail?  JDThompson | 03/06/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement
Click Here

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here