Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Google / GMail bug, all accounts vulnerable

From: coderman <coderman () gmail com>
Date: Wed, 12 Dec 2007 06:55:41 -0800
On Dec 12, 2007 3:07 AM, jipe foo <foojipe () gmail com> wrote:

...
Hum... am I missing the point or is that just a matter of redirection
with the favicon (and the Gmail logout CRSF is not really new...) ?



Moreover just switching between tabs does not log me off on my system
[2] (as it does not reload the nasty icon...).


this is very dependent on browser version as cache behavior for the
favicon varies quite a bit.  to force an example, clear your cache and
then navigate over the tab with the bad favicon.  in some ffox
versions these icons are regularly loaded even when not viewing the
page, or other activities which may reference the favicon (bookmarks,
etc).

it's not really new, but the nice trick here is that all scripting can
be disabled, a paranoid proxy in place, and still the icon(s) will be
requested, and the fast redirect effective.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: