Proof of concept released for Google Gmail CSRF flaw

Share this article:
A vulnerability in Google's Gmail that enables cross-site request forgery (CSRF) attacks has been recognized since 2007, but a proof-of-concept (PoC) was just released Tuesday.

By successfully exploiting this vulnerability, an attacker could modify a Gmail user's password, cause a selective denial-of-service (DoS) or access the email of other Gmail users, according to a vulnerability disclosure post from Internet Security Auditors (ISecAuditors).

The vulnerability was first discovered by Vicente Aguilera Diaz, a researcher at ISecAuditors in July 2007, and Google has known about it since August of the same year. 

Gmail is vulnerable to CSRF attacks in the “change password” feature, because the only token necessary to authenticate a user is a session cookie, which is sent automatically by the browser, the vulnerability disclosure states. 

The PoC shows that an attacker can exploit this flaw by creating a specially designed malicious webpage that accepts requests from Gmail's “change password” functionality. The attacker then sends an email to the victim's Gmail account, potentially luring the user to this malicious page via social engineering. When a user visits the attack page, if they are authenticated in Gmail, it's possible for an attacker to change their password, thereby evading the CAPTCHA restrictions on the authentication form, according to the vulnerability disclosure.

A Google spokesman, however, said this attack would be difficult to pull off.

"We've been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user's password within the period that the user is visiting a potential attacker's site,” a Google spokesman told SCMagazine US.com Wednesday.

“We haven't received any reports of this being exploited. Despite the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue,” the spokesman said. “We always encourage users to choose strong passwords, and we have an indicator to help them do this."
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.