Full Disclosure mailing list archives
Breaking Google Gears' Cross-Origin Communication Model
From: Yair Amit <AMITYAIR () il ibm com>
Date: Mon, 8 Dec 2008 21:27:17 +0200
Hello, I recently discovered a flaw in the cross-origin communication security model of Google Gears that could allow attackers to break-out of the same-origin policy and mount large scale user-impersonation attacks under certain conditions. After coordinating a fix with Google, I can now reveal the full details. You are invited to read them at http://blog.watchfire.com/wfblog/2008/12/breaking-google-gears-cross-origin-communication-model.html. To make sure you are secure, it is advisable to verify that you have the latest version of Google-Gears (currently 0.5.4.2) installed on your system. If that is not the case, it can be obtained from the Google Gears website (http://gears.google.com). I would like to thank the Google Gears security team for their quick responses and the efficient way in which they handled this security issue. Best Regards, Yair Amit Senior Security Researcher IBM Rational Application Security _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Breaking Google Gears' Cross-Origin Communication Model Yair Amit (Dec 08)