Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Cross-Site (XSS) bug in GMail InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cross-Site (XSS) bug in GMail

Published: 2007-01-02
Last Updated: 2007-01-03 16:50:35 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Google starts into 2007 with a feature that allows bad guys to steal your GMail contacts list. http://blogs.zdnet.com/Google/ has more. But before you follow any links today, you should maybe make sure that you are not logged in on GMail...

Correction/Update:
This is actually a "Cross Site Request Forgery" (CSRF), not a "Cross Site Scripting" attack. Google had the bug fixed by the time the issue was made public.

A CSRF issue comes up if javascript is used to take advantage of the fact that a user is logged in to a particular site. In this case, hostile javascript can be used to send an HTTP request to the trusted site. In this case, the hostile javascript could be used to retrieve the users gmail contact list.

It is rather hard to avoid these bugs and expect more of them to be found. It is best practice to log out of sites (in particular banking sites) once you no longer need the content. This will limit the attack window for the most dangerous CSRF attacks. Limited use of javascript (should I mention the NoScript extension to Firefox again?) will help as well. But ultimately, this is an issue that has to be fixed by the website.

Keywords:
0 comment(s)
Diary Archives