Re: Google / GMail bug, all accounts vulnerable

["jipe foo" <foojipe () gmail com>]

2007/12/12, Kristian Erik Hermansen <kristian.hermansen () gmail com>:
> On Dec 11, 2007 6:25 PM, coderman <coderman () gmail com> wrote:
> > favicons are handy
> >
> > ... even if handled quite differently between browser types/versions.

Hi,

> Bingo to coderman, the only security dude here who gets it.  You would
> be surprised the number of ridiculous personal emails I got regarding
> this issue.  Crowd SuRFing is here to stay...

Hum... am I missing the point or is that just a matter of redirection
with the favicon (and the Gmail logout CRSF is not really new...) ?

I get approximately the same behavior by just putting a simple
redirection in an apache .htaccess [1].

Moreover just switching between tabs does not log me off on my system
[2] (as it does not reload the nasty icon...).

1. Redirect 301 /favicon.ico http://mail.google.com/mail/?logout
2. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071204
Ubuntu/7.10 (gutsy) Firefox/2.0.0.11


Best,

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/