Re: [Full-Disclosure] Slashdot: Gmail Accounts Vulnerable to XSS Exploit

["Calum Power" <enune@xxxxxxxxxxx>]

Once again, a perfect example of the media misconstruing a security
vulnerability. XSS holes are not (as we all know) an immediate bypass for
any authentication. It can be used, with a bit of work, to steal
cookies/authentication data from unexpecting users, NOT as an immediate
break-into-accounts kiddie tool.

IMHO The Register describes this story much better -
http://www.theregister.co.uk/2004/10/29/gmail_vuln/

"Using a hex-encoded XSS link, the victim's cookie file can be stolen by a
hacker, who can later use it to identify himself to Gmail as the original
owner of an email account"

However, the interesting thing I found about this article was this line:
"regardless of whether or not the password is subsequently changed"

Does Gmail use some sort of static security key?
Does anyone have any further details on the security implemented by Google
in their new service?

Cheers,
Calum
--
Calum Power
- Cultural Jammer
- Security Enthusiast
- Hopeless Cynic
enune@xxxxxxxxxxx
http://www.fribble.net

> "A security hole in GMail has been found (an XSS vulnerability) which
> allows access to user accounts without authentication. What makes the
> exploit worse is the fact that changing passwords doesn't help. The full
> details of the exploit haven't been disclosed"
> http://slashdot.org/article.pl?sid=04/10/29/1830247
> --
> Shoshannah Forbes
> http://www.xslf.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html