Brief -------------- While I was playing with Gmail, I found a bug that may disclose information about the users currently attempting to register a new Gmail account. This seems to be a vulnerability with low severity (at least until now). CheckAvailability Script -------------- In the registration page, the "Check Availability" button queries a certain script, namely /accounts/CheckAvailability. The script takes the desired username, and checks if it is available. If it is not available, it suggests other usernames by contactenating, for example, your last name to it. The Problem -------------- There seems to be a thread-safety problem with CheckAvailability script. When the script is under heavy stress, it may return answers to queries that are not yours, revealing others' desired usernames, and first and last names.(see attached screen shot) Reproduction -------------- To reproduce it, you should: AND a. Have a valid Gmail invitation b. Frequently Invoke CheckAvailability by ~ OR ~ 1. Creating a tool that automates the script invocation. ~ 2. Having the patience and keep clicking the button frequently (this works too!). I have not yet carefully studied the script, but I think it might not be a problem with this script only, but others as well. Your thoughts are appreciated. Regards, Ahmed Motaz ------------------------------------------------------ Mailsurf.com your communication portal for SMS, Email, Fax, E-Cards and more. www.mailsurf.com
Attachment:
gmail-screenshot.gif
Description: GIF image
