Proof of concept released for Google Gmail CSRF flaw
By successfully exploiting this vulnerability, an attacker could modify a Gmail user's password, cause a selective denial-of-service (DoS) or access the email of other Gmail users, according to a vulnerability disclosure post from Internet Security Auditors (ISecAuditors).
The vulnerability was first discovered by Vicente Aguilera Diaz, a researcher at ISecAuditors in July 2007, and Google has known about it since August of the same year.
Gmail is vulnerable to CSRF attacks in the “change password” feature, because the only token necessary to authenticate a user is a session cookie, which is sent automatically by the browser, the vulnerability disclosure states.
The PoC shows that an attacker can exploit this flaw by creating a specially designed malicious webpage that accepts requests from Gmail's “change password” functionality. The attacker then sends an email to the victim's Gmail account, potentially luring the user to this malicious page via social engineering. When a user visits the attack page, if they are authenticated in Gmail, it's possible for an attacker to change their password, thereby evading the CAPTCHA restrictions on the authentication form, according to the vulnerability disclosure.
A Google spokesman, however, said this attack would be difficult to pull off.
"We've been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user's password within the period that the user is visiting a potential attacker's site,” a Google spokesman told SCMagazine US.com Wednesday.
“We haven't received any reports of this being exploited. Despite the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue,” the spokesman said. “We always encourage users to choose strong passwords, and we have an indicator to help them do this."