[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Google / GMail bug, all accounts vulnerable
- From: "jipe foo" <foojipe@xxxxxxxxx>
- Date: Wed, 12 Dec 2007 12:07:23 +0100
2007/12/12, Kristian Erik Hermansen <kristian.hermansen@xxxxxxxxx>:
> On Dec 11, 2007 6:25 PM, coderman <coderman@xxxxxxxxx> wrote:
> > favicons are handy
> >
> > ... even if handled quite differently between browser types/versions.
Hi,
> Bingo to coderman, the only security dude here who gets it. You would
> be surprised the number of ridiculous personal emails I got regarding
> this issue. Crowd SuRFing is here to stay...
Hum... am I missing the point or is that just a matter of redirection
with the favicon (and the Gmail logout CRSF is not really new...) ?
I get approximately the same behavior by just putting a simple
redirection in an apache .htaccess [1].
Moreover just switching between tabs does not log me off on my system
[2] (as it does not reload the nasty icon...).
1. Redirect 301 /favicon.ico http://mail.google.com/mail/?logout
2. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071204
Ubuntu/7.10 (gutsy) Firefox/2.0.0.11
Best,
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/