full-disclosure-uk December 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] Google / GMail bug, al

Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable

From: Kristian Erik Hermansen <kristian.hermansen_at_nospam>
Date: Wed Dec 12 2007 - 17:31:56 GMT
To: "ad@heapoverflow.com" <ad@heapoverflow.com>

On Dec 12, 2007 3:20 AM, ad@heapoverflow.com <ad@heapoverflow.com> wrote:
> Hash: SHA1
> ridiculous advisories are generating ridiculous replies that's well
> known and you figured it out.

The data is all there. So, the trick is how to utilize CSRF to influence a large number of users to make requests which disrupt, taint, or modify their accounts on popular services. In the example, I point the favicon.ico object as a 301 redirect to a GMail URI. Since the favicon.ico object, for some reason, influences the account even without revisiting the website again, the GMail account is again influenced any time you click a tab. It is an interesting finding, and not one that I have heard ever publicly stated. Correct me if I am wrong here, but why would the favicon.ico object be requested every time you merely click on a tab? And does this only happen in FF, or IE as well? What other browser's exhibit this behavior and/or is it supposed to be this way?

However, in addition to all this, CSRF is getting to be more dangerous. Major sites are not protecting against a wide range of attacks. The suggested prevention tactic is to ask for a password upon any account modifications. However, this does not always seem to be implemented. Too, many requests can cause distress to a user which do not necessarily modify their accounts. For instance, it is possible to taint the credibility of a remote user as well. Say you could inject searches on Youtube for 'kiddie porn', or make Google requests for 'how to murder your wife'. All of these are possible attacks, frightening, and how would they be prevented? This is becoming a large issue, and why I wrote up the PoC for the specific Google / GMail case. It is possible that these type of attacks could perhaps be used to incriminate someone in court based on secondary evidence, if they were suspected of say, murdering their wife. The user's search history on Google have been subpoenaed before, and injecting requests into someone's search history is frightening and definitely needs to be addressed, don't you think? The worst part about all of this is that there doesn't seem to be a viable solution at the moment, which is why everyone should start thinking about the problems now. There are some great papers which describe a few methods, but one demonstrating the implications is still missing... -- Kristian Erik Hermansen "I have no special talent. I am only passionately curious." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/