Proof of concept released for Google Gmail CSRF flaw

Share this article:
A vulnerability in Google's Gmail that enables cross-site request forgery (CSRF) attacks has been recognized since 2007, but a proof-of-concept (PoC) was just released Tuesday.

By successfully exploiting this vulnerability, an attacker could modify a Gmail user's password, cause a selective denial-of-service (DoS) or access the email of other Gmail users, according to a vulnerability disclosure post from Internet Security Auditors (ISecAuditors).

The vulnerability was first discovered by Vicente Aguilera Diaz, a researcher at ISecAuditors in July 2007, and Google has known about it since August of the same year. 

Gmail is vulnerable to CSRF attacks in the “change password” feature, because the only token necessary to authenticate a user is a session cookie, which is sent automatically by the browser, the vulnerability disclosure states. 

The PoC shows that an attacker can exploit this flaw by creating a specially designed malicious webpage that accepts requests from Gmail's “change password” functionality. The attacker then sends an email to the victim's Gmail account, potentially luring the user to this malicious page via social engineering. When a user visits the attack page, if they are authenticated in Gmail, it's possible for an attacker to change their password, thereby evading the CAPTCHA restrictions on the authentication form, according to the vulnerability disclosure.

A Google spokesman, however, said this attack would be difficult to pull off.

"We've been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user's password within the period that the user is visiting a potential attacker's site,” a Google spokesman told SCMagazine Wednesday.

“We haven't received any reports of this being exploited. Despite the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue,” the spokesman said. “We always encourage users to choose strong passwords, and we have an indicator to help them do this."
Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters


More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.