[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Slashdot: Gmail Accounts Vulnerable to XSS Exploit

To: <enune@xxxxxxxxxxx>, "Shoshannah Forbes" <xslf@xxxxxxxx>
Subject: Re: [Full-Disclosure] Slashdot: Gmail Accounts Vulnerable to XSS Exploit
From: "morning_wood" <se_cur_ity@xxxxxxxxxxx>
Date: Sat, 30 Oct 2004 18:43:03 -0700

there is a [x] box..

"Don't ask for my password for 2 weeks."

this sets the users cookie. Gmail uses the cookie for authentication.


>XSS holes are not (as we all know) an immediate bypass for
> any authentication.
right

>It can be used, with a bit of work, to steal
> cookies/authentication data from unexpecting users, NOT as an immediate
> break-into-accounts kiddie tool.
right

> However, the interesting thing I found about this article was this line:
> "regardless of whether or not the password is subsequently changed"
>
> Does Gmail use some sort of static security key?
> Does anyone have any further details on the security implemented by Google
> in their new service?
see above.


m.wood

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Slashdot: Gmail Accounts Vulnerable to XSS Exploit
  - From: Calum Power

References:
- [Full-Disclosure] Slashdot: Gmail Accounts Vulnerable to XSS Exploit
  - From: Shoshannah Forbes
- Re: [Full-Disclosure] Slashdot: Gmail Accounts Vulnerable to XSS Exploit
  - From: Calum Power

Prev by Date: Re: [Full-Disclosure] Slightly off-topic: www.georgewbush.com
Next by Date: Re: [Full-Disclosure] Slashdot: Gmail Accounts Vulnerable to XSS Exploit
Previous by thread: Re: [Full-Disclosure] Slashdot: Gmail Accounts Vulnerable to XSS Exploit
Next by thread: Re: [Full-Disclosure] Slashdot: Gmail Accounts Vulnerable to XSS Exploit
Index(es):
- Date
- Thread