Full Disclosure mailing list archives
Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit
From: "Calum Power" <enune () fribble net>
Date: Sun, 31 Oct 2004 13:07:20 +1100 (EST)
Indeed, but surely the cookie information stored should be dependant on the user's authentication details? It makes sense to use semi-dynamic cookie information like this, making holes like this one a little more hard to 'gain and keep' access.
there is a [x] box.. "Don't ask for my password for 2 weeks." this sets the users cookie. Gmail uses the cookie for authentication.XSS holes are not (as we all know) an immediate bypass for any authentication.rightIt can be used, with a bit of work, to steal cookies/authentication data from unexpecting users, NOT as an immediate break-into-accounts kiddie tool.rightHowever, the interesting thing I found about this article was this line: "regardless of whether or not the password is subsequently changed" Does Gmail use some sort of static security key? Does anyone have any further details on the security implemented by Google in their new service?see above. m.wood
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Slashdot: Gmail Accounts Vulnerable to XSS Exploit Shoshannah Forbes (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit n3td3v (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit Calum Power (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit morning_wood (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit Calum Power (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit morning_wood (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit n3td3v (Oct 30)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit Nancy Kramer (Oct 31)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit n3td3v (Oct 31)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit Jesse Ruderman (Oct 31)
- Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit morning_wood (Oct 30)