| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Dec 2007 12:07:23 +0100 From: "jipe foo" <foojipe@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Google / GMail bug, all accounts vulnerable 2007/12/12, Kristian Erik Hermansen <kristian.hermansen@...il.com>: > On Dec 11, 2007 6:25 PM, coderman <coderman@...il.com> wrote: > > favicons are handy > > > > ... even if handled quite differently between browser types/versions. Hi, > Bingo to coderman, the only security dude here who gets it. You would > be surprised the number of ridiculous personal emails I got regarding > this issue. Crowd SuRFing is here to stay... Hum... am I missing the point or is that just a matter of redirection with the favicon (and the Gmail logout CRSF is not really new...) ? I get approximately the same behavior by just putting a simple redirection in an apache .htaccess [1]. Moreover just switching between tabs does not log me off on my system [2] (as it does not reload the nasty icon...). 1. Redirect 301 /favicon.ico http://mail.google.com/mail/?logout 2. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071204 Ubuntu/7.10 (gutsy) Firefox/2.0.0.11 Best, _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists