According to a post on the Full Disclosure mailing list this morning, Google’s popular Gmail service has been vulnerable to a Cross-Site Request Forgery (CSRF) attack since the summer of 2007. After over a year of attempting to get Google to correct the issue, the researchers went public with their findings.
Is Google\'s GMail vulnerable to CSRF attack?(IMG:J.Anderson)
“GMail is vulnerable to CSRF attacks in the ‘Change Password’ functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request,” the advisory from ISecAuditors says.
CSRF attacks are both tricky and dangerous. CSRF attacks are sometimes confused with Cross-Site Scripting (XSS) attacks. The difference is that XSS attacks require that Web site code be exploited so malicious commands can be injected into the page. Once the XSS is complete, only then can the payload can be delivered.
SRF attacks never need to inject anything into a page; they can be triggered on their own by simply having the victim visit a malicious page. Once the user loads the malicious page, the CSRF attack is triggered and the code executed. In this case, this is exactly what happens with Google.
“An attacker can create a page that includes requests to the ‘Change Password’ functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker,” the ISecAuditors advisory adds.
According to the alert, the CSRF attack works because the ‘Change Password’ feature uses a GET request instead of POST. ISecAuditors included two sets of example code demonstrating how the CSRF attack works. One example uses an IMG tag to trigger the code, while the other uses an Iframe to run the code.
According to the timeline in the advisory, ISecAuditors acquired the vulnerability in July 2007. The final refusal from Google was sent to them in December 2008.
When asked, Google had this to say.
"We've been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user's password within the period that the user is visiting a potential attacker's site. We haven't received any reports of this being exploited. Despite the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue. We always encourage users to choose strong passwords, and we have an indicator to help them do this."
An archive of the advisory is here.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story