Full Disclosure mailing list archives
Re: Google / GMail bug, all accounts vulnerable
From: "Kristian Erik Hermansen" <kristian.hermansen () gmail com>
Date: Tue, 11 Dec 2007 18:16:22 -0800
On Dec 11, 2007 3:01 PM, Aaron Katz <atkatz () gmail com> wrote:
My strong suspicion is that the original poster simply created a JavaScript script in somewhere.google.com, and this JavaScript deleted the cookie. This would work if the session cookie is restricted to google.com, which would let any web server in, or content served from the google.com domain (or any subdomain). My note about using NoScript to restrict JavaScript execution to mail.google.com reinforces this suspicion. If my suspicion is correct, then google did two things. First, google appears to allow individuals to create personal domain names in google.com, and to place arbitrary content in those domains. This first thing probalby allowed the original poster to place the JavaScript in a location where it could access the google.com cookie. Second, google apparantly did not restrict the gmail cookie to mail.google.com. This second thing allowed the JavaScript from the personal system at somewhere.google.com to access the cookie. Of course, I only did a cursory glance at the source of the webpage, so I may be wrong :) But, we can be reasonably sure it's not exploiting a problem in the browser, since the issue appears to be cross browser.
Well, let me just say that NoScript will not save you here in my example. Try this to see how to really mess with your brain... * Open Firefox 2.x (delete all cookies/cached objects if you like, etc) * Check an email in Google * Visit my PoC code page in a new tab * Click on the Google tab and try to read an email * Something went wrong... * Log back into Google * Browse around your email, or not, doesn't matter * Merely click on the tab for my PoC webpage * Something goes wrong again... Just clicking a tab in Firefox can mess with your Google account? Details will be released this Friday and will also include an exploit for Yahoo as well. Fair warning... -- Kristian Erik Hermansen "I have no special talent. I am only passionately curious." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Google / GMail bug, all accounts vulnerable, (continued)
- Re: Google / GMail bug, all accounts vulnerable worried security (Dec 07)
- Re: Google / GMail bug, all accounts vulnerable Ed Carp (Dec 07)
- Message not available
- Message not available
- Message not available
- Message not available
- Fwd: Google / GMail bug, all accounts vulnerable Aaron Katz (Dec 07)
- Re: Google / GMail bug, all accounts vulnerable Aaron Katz (Dec 07)
- Re: Google / GMail bug, all accounts vulnerable alessandro salvatori (Dec 07)
- Re: Google / GMail bug, all accounts vulnerable Joseph Hick (Dec 07)
- Re: Google / GMail bug, all accounts vulnerable Kristian Erik Hermansen (Dec 07)
- Re: Google / GMail bug, all accounts vulnerable Aaron Katz (Dec 11)
- Re: Google / GMail bug, all accounts vulnerable Kristian Erik Hermansen (Dec 11)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 11)
- Re: Google / GMail bug, all accounts vulnerable Kristian Erik Hermansen (Dec 11)
- Re: Google / GMail bug, all accounts vulnerable Nick FitzGerald (Dec 11)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)