Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Google / GMail bug, all accounts vulnerable

From: "Steven Adair" <steven () securityzone org>
Date: Wed, 12 Dec 2007 16:27:28 -0500 (EST)
Glad to see we figured it out. :)  Yes, "Cross Site Request Forgery" would
be the correct term referenced by the acronym in all of the replies
(subsequently also the first result in a normal Google query).  I'm still
not quite sure what the big deal on the favicon stuff in terms of this
issue.  So lets say you completely disabled favicons altogether.  Now when
you visit the original PoC - it no longer works.  However, if you simply
had a 302 or mod_rewrite rule for any image that you actually had written
into the source of your page, you could achieve the same result.

Maybe the favicon.ico method is slightly transparent to the user as it's
not present when you view the source.  However, you could be almost as
sneaky by only throwing a redirect to the Google logout page if the
referer field includes your root page.  Otherwise if the user directly
requests it.. it displays a real image.

Explain to me what I am missing here.



On Wednesday 12 December 2007 08:05:35 Steven Adair wrote:

You aren't really able to take action on Google's site per the
real definition of CSRF.


CRSF: Canadian Rope Skipping Federation (Google's "I'm feeling lucky")
      Center for Research on Sustainable Forests
      Canadian Rhodes Scholars Foundation
      CReative Santa Fe
      Consolidated Rail System Federation

I keep wondering when people on this thread will discuss the relative
merits
of various rope materials? That is the "real definition" isn't it? ;)

On a more serious note, I agree with the question; it doesn't sound like a
full cross site request forgery. Still Coderman's reply to your questions
lead me to search for information on the Firefox
"browser.chrome.favicons."
That lead to this bit of information:

"Caveats

"    * browser.chrome.site_icons must be true for this preference to have
an
effect.
"    * Conversely, browser.chrome.site_icons should be false when this
preference is false to disable site icons and favicons completely."

http://kb.mozillazine.org/Browser.chrome.favicons

Given Coderman's statement about meeting "fortuitously in a black hat
tryst,"
I set both to false. Thanks all for the info.

And for those people, like myself, who aren't up on all the acronymns,
here is
a link for CRSF:

https://secure.wikimedia.org/wikipedia/en/wiki/Csrf

--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: