05
Mar
2009

Gmail vulnerable to CSRF attacks (Cross Site Request Forgery)

GoogleNo Comments »




Bookmark and Share

https

Recently, SecureTeam has made public a flaw in Google Gmail. In fact, a well-proven vulnerability could expose Gmail to CSRF attacks (Cross Site Request Forgery) in the “Change Password” functionality, letting malicious people change the password of the most famous webmail.

Reading from the SecureTeam website:

“GMail is vulnerable to CSRF attacks in the “Change Password” functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request. An attacker can create a page that includes requests to the “Change password” functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker. The attack is facilitated since the “Change Password” request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the “Change Password” form.”

At the moment the only countermeasure to prevent the hijacking is to have Gmail automatically connect securely. To do that just login your Gmail, click Settings and locate at the end of the page the Browser Connection Settings. At this point just enable the “Always use HTTPS” and you are done.


Tags: , ,


Related ArticlesLatest Articles
.

Leave a Comment

If you want to show an image next to your comments, get your gravatar now!

This blog is moderated. Inappropriate comments will be edited or removed. Users posting offensive comments will be banned from this blog. Report Inappropriate Comments Here.

XHTML - You can use the following tags:  <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>




14 queries. 0.241 sec.
Copyright © 2007-2012 | Sitemap | Privacy | Back To Top
Best screen resolution 1280x800 or higher.
Web Talk is best viewed in Firefox.

Stat