lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: QoDSec at gmail.com (QoDS ec)
Subject: GMail logout (not sure if you could call it a vulnerability)

I might have found a little glich in GMail's invitation system. I was
playing today with GMail and found that if you change the invite hyper
link to something different you will be logged out from your GMail
session.

for example consider the following invite link:
http://gmail.google.com/gmail/a-da020f8475-a200b150b3

if you change it to the following:
http://gmail.google.com/gmail/a-da020f8435-a200b150b3
                                            ^^^^^^^^^^^^^
                                         Any of the following digits
could change
you will be automatically logged out and as it seems you will have the
login name of the email of the person who did the invitation.

Not sure if there is anything evil you could do about it but just a
minor bug that should be fixed.

comments appreciated.


QODS ec

QODSec.blogspot.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ