Cross-Site (XSS) bug in GMail

Published: 2007-01-02. Last Updated: 2007-01-03 16:50:35 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Google starts into 2007 with a feature that allows bad guys to steal your GMail contacts list. http://blogs.zdnet.com/Google/ has more. But before you follow any links today, you should maybe make sure that you are not logged in on GMail...

Correction/Update:
This is actually a "Cross Site Request Forgery" (CSRF), not a "Cross Site Scripting" attack. Google had the bug fixed by the time the issue was made public.

A CSRF issue comes up if javascript is used to take advantage of the fact that a user is logged in to a particular site. In this case, hostile javascript can be used to send an HTTP request to the trusted site. In this case, the hostile javascript could be used to retrieve the users gmail contact list.

It is rather hard to avoid these bugs and expect more of them to be found. It is best practice to log out of sites (in particular banking sites) once you no longer need the content. This will limit the attack window for the most dangerous CSRF attacks. Limited use of javascript (should I mention the NoScript extension to Firefox again?) will help as well. But ultimately, this is an issue that has to be fixed by the website.

Keywords:
0 comment(s)

Cuckoo's egg on the face

Published: 2007-01-02. Last Updated: 2007-01-02 09:53:56 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Recently, when I couldn't find anything decent to read in an airport bookstore awash with "get rich quick" and "management" books, I ended up buying a copy of Cliff Stoll's "The Cuckoo's Egg". Yes, I've read this before, like every infosec professional should, but it's been a while. The first time 'round, I had read it pretty much like an entertaining crime novel. Not this time, when I kept asking myself "could this still happen today", and usually ended up answering in the affirmative. Take the password issue. Most of the problems Cliff had to fight revolve around guessable or disclosed passwords. That was back in 1987. Now, twenty years later, a significant portion of the hostile traffic seen by DShield are password guessing attacks against VNC, SSH, SMB. Looks like feeling smug about our achievements as computer security specialists might be a bit premature.



Keywords:
0 comment(s)

Comments


Diary Archives