March 4th, 2009
Google downplays severity of Gmail CSRF flaw
Yesterday, Vicente Aguilera Diaz from Internet Security Auditors released proof of concept of a CSRF (Cross-Site Request Forgery) vulnerability in Google’s Gmail, which he originally communicated to Google two years ago. The CSRF flaw affects Gmail’s “Change Password” function, since according to Diaz the session cookie is automatically sent by the browser in every request making the attack possible.
Google’s response came fast, and it’s in the form of - “We do not consider this case to be a significant vulnerability.” :
We’ve been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user’s password within the period that the user is visiting a potential attacker’s site,” the spokesperson said. “DespiteĀ the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue. We always encourage users to choose strong passwords, and we have an indicator to help them do this.
Compared to the futile password guessing attempts in order to execute the attack, nothing can replace flaw-independent approaches like social engineering. From a pragmatic perspective, malicious attackers have an extensive number of tactics to chose from if they were trying to obtain your Gmail password. Starting from plain simple phishing campaigns, and going to a more efficiency-centered approaches - remember the G-Archiver fiasco?
- Related posts: Google downplays Chrome’s carpet-bombing flaw; Google: no evidence of a Gmail vulnerability; Google fixes critical XSS vulnerability
Google’s most recently fixed flaws across its web properties include October 2008’s cross domain frame injection vulnerability, November 2008’s XSS in Google’s accounts SSL login page, and January 2009’s Google sites reflective cross-site scripting flaw.
Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
