Gmail vulnerable to CSRF attacks (Cross Site Request Forgery)

GoogleComments Off on Gmail vulnerable to CSRF attacks (Cross Site Request Forgery)

Bookmark and Share


Recently, SecureTeam has made public a flaw in Google Gmail. In fact, a well-proven vulnerability could expose Gmail to CSRF attacks (Cross Site Request Forgery) in the “Change Password” functionality, letting malicious people change the password of the most famous webmail.

Reading from the SecureTeam website:

“GMail is vulnerable to CSRF attacks in the “Change Password” functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request. An attacker can create a page that includes requests to the “Change password” functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker. The attack is facilitated since the “Change Password” request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the “Change Password” form.”

At the moment the only countermeasure to prevent the hijacking is to have Gmail automatically connect securely. To do that just login your Gmail, click Settings and locate at the end of the page the Browser Connection Settings. At this point just enable the “Always use HTTPS” and you are done.

Related Articles Latest Articles

Comments are closed.

Copyright © 2007-2017 | Sitemap | Privacy | Back To Top
Best screen resolution 1280x800 or higher.
Web Talk is best viewed in Firefox.