[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable
- To: "Aaron Katz" <atkatz@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable
- From: "Kristian Erik Hermansen" <kristian.hermansen@xxxxxxxxx>
- Date: Tue, 11 Dec 2007 18:16:22 -0800
On Dec 11, 2007 3:01 PM, Aaron Katz <atkatz@xxxxxxxxx> wrote:
> My strong suspicion is that the original poster simply created a
> JavaScript script in somewhere.google.com, and this JavaScript deleted
> the cookie. This would work if the session cookie is restricted to
> google.com, which would let any web server in, or content served from
> the google.com domain (or any subdomain).
>
> My note about using NoScript to restrict JavaScript execution to
> mail.google.com reinforces this suspicion.
>
> If my suspicion is correct, then google did two things. First, google
> appears to allow individuals to create personal domain names in
> google.com, and to place arbitrary content in those domains. This
> first thing probalby allowed the original poster to place the
> JavaScript in a location where it could access the google.com cookie.
> Second, google apparantly did not restrict the gmail cookie to
> mail.google.com. This second thing allowed the JavaScript from the
> personal system at somewhere.google.com to access the cookie.
>
>
> Of course, I only did a cursory glance at the source of the webpage,
> so I may be wrong :) But, we can be reasonably sure it's not
> exploiting a problem in the browser, since the issue appears to be
> cross browser.
Well, let me just say that NoScript will not save you here in my
example. Try this to see how to really mess with your brain...
* Open Firefox 2.x (delete all cookies/cached objects if you like, etc)
* Check an email in Google
* Visit my PoC code page in a new tab
* Click on the Google tab and try to read an email
* Something went wrong...
* Log back into Google
* Browse around your email, or not, doesn't matter
* Merely click on the tab for my PoC webpage
* Something goes wrong again...
Just clicking a tab in Firefox can mess with your Google account?
Details will be released this Friday and will also include an exploit
for Yahoo as well. Fair warning...
--
Kristian Erik Hermansen
"I have no special talent. I am only passionately curious."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/