Full Disclosure mailing list archives
Re: Google / GMail bug, all accounts vulnerable
From: "Steven Adair" <steven () securityzone org>
Date: Wed, 12 Dec 2007 16:27:28 -0500 (EST)
Glad to see we figured it out. :) Yes, "Cross Site Request Forgery" would be the correct term referenced by the acronym in all of the replies (subsequently also the first result in a normal Google query). I'm still not quite sure what the big deal on the favicon stuff in terms of this issue. So lets say you completely disabled favicons altogether. Now when you visit the original PoC - it no longer works. However, if you simply had a 302 or mod_rewrite rule for any image that you actually had written into the source of your page, you could achieve the same result. Maybe the favicon.ico method is slightly transparent to the user as it's not present when you view the source. However, you could be almost as sneaky by only throwing a redirect to the Google logout page if the referer field includes your root page. Otherwise if the user directly requests it.. it displays a real image. Explain to me what I am missing here.
On Wednesday 12 December 2007 08:05:35 Steven Adair wrote:You aren't really able to take action on Google's site per the real definition of CSRF.CRSF: Canadian Rope Skipping Federation (Google's "I'm feeling lucky") Center for Research on Sustainable Forests Canadian Rhodes Scholars Foundation CReative Santa Fe Consolidated Rail System Federation I keep wondering when people on this thread will discuss the relative merits of various rope materials? That is the "real definition" isn't it? ;) On a more serious note, I agree with the question; it doesn't sound like a full cross site request forgery. Still Coderman's reply to your questions lead me to search for information on the Firefox "browser.chrome.favicons." That lead to this bit of information: "Caveats " * browser.chrome.site_icons must be true for this preference to have an effect. " * Conversely, browser.chrome.site_icons should be false when this preference is false to disable site icons and favicons completely." http://kb.mozillazine.org/Browser.chrome.favicons Given Coderman's statement about meeting "fortuitously in a black hat tryst," I set both to false. Thanks all for the info. And for those people, like myself, who aren't up on all the acronymns, here is a link for CRSF: https://secure.wikimedia.org/wikipedia/en/wiki/Csrf -- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Google / GMail bug, all accounts vulnerable, (continued)
- Re: Google / GMail bug, all accounts vulnerable Kristian Erik Hermansen (Dec 11)
- Re: Google / GMail bug, all accounts vulnerable Nick FitzGerald (Dec 11)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable jipe foo (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable ad () heapoverflow com (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Kristian Erik Hermansen (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Steven Adair (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Peter Besenbruch (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Steven Adair (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Peter Besenbruch (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Andrew A (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Andrew A (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable Andrew A (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 12)
- Re: Google / GMail bug, all accounts vulnerable coderman (Dec 11)