Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Gmail Cross-site Request Forgery Vulnerability


  • Please log in to reply
1 reply to this topic

#1 HIPPO1023

HIPPO1023

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Local time:01:18 AM

Posted 02 October 2007 - 08:43 AM

From US-CIRT

Overview
According to public reports, Google Gmail contained a cross-site request forgery (XSRF) vulnerability that allowed attackers to create email filters that could forward mail and attachments to arbitrary email addresses.

I. Description
Google Gmail is a web based mail service. Gmail provides support for email filters that allow users to sort and forward mail.

According to a report on the GNUCITIZEN site, Gmail contained a cross-site request forgery (XSRF) vulnerability that allowed attackers to create mail filters and forward mail to arbitrary email addresses. To exploit this vulnerability, an attacker would have had to convince a user to click or open a specially crafted hyperlink while the user was logged into their Gmail account. The hyperlink would have contained a http POST request that created the mail filter.

........................

Workarounds for Users
Using Gmail's SMTP and POP servers to send and receive mail will mitigate vulnerabilities in the Gmail web interface.
The NoScript Firefox extension may mitigate XSRF and XSS vulnerabilities by restricting what sites can execute javascript and send cross-site POST requests.
Encrypting sensitive emails and attachments will limit the impact of XSRF or other authentication bypass vulnerabilities.


Original Report :
From GNUCITIZEN : Google GMail E-mail Hijack Technique

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:18 AM

Posted 10 October 2007 - 11:27 AM

Google Fixes Gmail Cross-site Request Forgery Vulnerability
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users