Full Disclosure mailing list archives
Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit
From: "Calum Power" <enune () fribble net>
Date: Sun, 31 Oct 2004 10:54:16 +1100 (EST)
Once again, a perfect example of the media misconstruing a security vulnerability. XSS holes are not (as we all know) an immediate bypass for any authentication. It can be used, with a bit of work, to steal cookies/authentication data from unexpecting users, NOT as an immediate break-into-accounts kiddie tool. IMHO The Register describes this story much better - http://www.theregister.co.uk/2004/10/29/gmail_vuln/ "Using a hex-encoded XSS link, the victim's cookie file can be stolen by a hacker, who can later use it to identify himself to Gmail as the original owner of an email account" However, the interesting thing I found about this article was this line: "regardless of whether or not the password is subsequently changed" Does Gmail use some sort of static security key? Does anyone have any further details on the security implemented by Google in their new service? Cheers, Calum -- Calum Power - Cultural Jammer - Security Enthusiast - Hopeless Cynic enune () fribble net http://www.fribble.net
"A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed" http://slashdot.org/article.pl?sid=04/10/29/1830247 -- Shoshannah Forbes http://www.xslf.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Slashdot: Gmail Accounts Vulnerable to XSS Exploit Shoshannah Forbes (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit n3td3v (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit Calum Power (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit morning_wood (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit Calum Power (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit morning_wood (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit n3td3v (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit Nancy Kramer (Oct 31)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit n3td3v (Oct 31)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit Jesse Ruderman (Oct 31)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit morning_wood (Oct 30)