Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit

From: "Calum Power" <enune () fribble net>
Date: Sun, 31 Oct 2004 10:54:16 +1100 (EST)
Once again, a perfect example of the media misconstruing a security
vulnerability. XSS holes are not (as we all know) an immediate bypass for
any authentication. It can be used, with a bit of work, to steal
cookies/authentication data from unexpecting users, NOT as an immediate
break-into-accounts kiddie tool.

IMHO The Register describes this story much better -
http://www.theregister.co.uk/2004/10/29/gmail_vuln/

"Using a hex-encoded XSS link, the victim's cookie file can be stolen by a
hacker, who can later use it to identify himself to Gmail as the original
owner of an email account"

However, the interesting thing I found about this article was this line:
"regardless of whether or not the password is subsequently changed"

Does Gmail use some sort of static security key?
Does anyone have any further details on the security implemented by Google
in their new service?

Cheers,
Calum
--
Calum Power
- Cultural Jammer
- Security Enthusiast
- Hopeless Cynic
enune () fribble net
http://www.fribble.net


"A security hole in GMail has been found (an XSS vulnerability) which
allows access to user accounts without authentication. What makes the
exploit worse is the fact that changing passwords doesn't help. The full
details of the exploit haven't been disclosed"
http://slashdot.org/article.pl?sid=04/10/29/1830247
--
Shoshannah Forbes
http://www.xslf.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: