Proof of concept released for Google Gmail CSRF flaw

Share this article:
A vulnerability in Google's Gmail that enables cross-site request forgery (CSRF) attacks has been recognized since 2007, but a proof-of-concept (PoC) was just released Tuesday.

By successfully exploiting this vulnerability, an attacker could modify a Gmail user's password, cause a selective denial-of-service (DoS) or access the email of other Gmail users, according to a vulnerability disclosure post from Internet Security Auditors (ISecAuditors).

The vulnerability was first discovered by Vicente Aguilera Diaz, a researcher at ISecAuditors in July 2007, and Google has known about it since August of the same year. 

Gmail is vulnerable to CSRF attacks in the “change password” feature, because the only token necessary to authenticate a user is a session cookie, which is sent automatically by the browser, the vulnerability disclosure states. 

The PoC shows that an attacker can exploit this flaw by creating a specially designed malicious webpage that accepts requests from Gmail's “change password” functionality. The attacker then sends an email to the victim's Gmail account, potentially luring the user to this malicious page via social engineering. When a user visits the attack page, if they are authenticated in Gmail, it's possible for an attacker to change their password, thereby evading the CAPTCHA restrictions on the authentication form, according to the vulnerability disclosure.

A Google spokesman, however, said this attack would be difficult to pull off.

"We've been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user's password within the period that the user is visiting a potential attacker's site,” a Google spokesman told SCMagazine US.com Wednesday.

“We haven't received any reports of this being exploited. Despite the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue,” the spokesman said. “We always encourage users to choose strong passwords, and we have an indicator to help them do this."
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.