>Vulnerability in Gmail


Security experts have revealed a vulnerability in Googles mail service, Gmail.
This is not my area of expertise so if I make any mistakes they are mine and not the original authors.

The reason for publishing the details is according to the author that Google was informed of the risk in August 2007 and they have decided not to take any action.
The vulnerability lies in the “Change password” function, and the problem is that the authorization for changing password is stored in a session cookie and could be collected by other sites. This is called “Cross-Site Request Forgery” or CSRF (and this is fun, you read this as Sea-Surf).

A website with this malicious code could under the right circumstances (i.e. the visitor has logged in to Gmail during the same session, and stay on the “evil” website during the whole procedure) use the cookie to change the password for the visitor.
Even worse in my opinion, they can by trying to change to a simple password (that Gmail won’t accept) confirm that the password analysis is correct. That way an attacker could get access to your Gmail account without you knowing it. The difference to if they would change your password is that you would of course notice it when not being able to log in.

Google have no records of any use of this vulnerability and say that it is unlikely that it will be used since the circumstances are so precise. I don’t know about you but I stay logged in to Gmail and other Google services all the time while browsing (Gmail Chat anyone?). I just don’t see why they don’t change it, as far as I understand it would be enough to add an extra authentication (i.e. ask for password again) to render the exploit useless, so why not Google?

“Proof-of-Concept” – Seclists

Article (in Swedish) – IDG