[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] GMail logout (not sure if you could call it a vulnerability)

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] GMail logout (not sure if you could call it a vulnerability)
From: QoDS ec <QoDSec@xxxxxxxxx>
Date: Mon, 21 Jun 2004 20:24:15 -0400

I might have found a little glich in GMail's invitation system. I was
playing today with GMail and found that if you change the invite hyper
link to something different you will be logged out from your GMail
session.

for example consider the following invite link:
http://gmail.google.com/gmail/a-da020f8475-a200b150b3

if you change it to the following:
http://gmail.google.com/gmail/a-da020f8435-a200b150b3
                                            ^^^^^^^^^^^^^
                                         Any of the following digits
could change
you will be automatically logged out and as it seems you will have the
login name of the email of the person who did the invitation.

Not sure if there is anything evil you could do about it but just a
minor bug that should be fixed.

comments appreciated.


QODS ec

QODSec.blogspot.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] GMail logout (not sure if you could call it a vulnerability)
  - From: Nico Golde
- Re: [Full-Disclosure] GMail logout (not sure if you could call it a vulnerability)
  - From: Nico Golde

Prev by Date: Re: [Full-Disclosure] M$ Getting Better?
Next by Date: Re: [Full-Disclosure] M$ - so what should they do?
Previous by thread: [Full-Disclosure] SGI Advanced Linux Environment 3 Security Update #4
Next by thread: Re: [Full-Disclosure] GMail logout (not sure if you could call it a vulnerability)
Index(es):
- Date
- Thread