| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Dec 2007 18:16:22 -0800 From: "Kristian Erik Hermansen" <kristian.hermansen@...il.com> To: "Aaron Katz" <atkatz@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Google / GMail bug, all accounts vulnerable On Dec 11, 2007 3:01 PM, Aaron Katz <atkatz@...il.com> wrote: > My strong suspicion is that the original poster simply created a > JavaScript script in somewhere.google.com, and this JavaScript deleted > the cookie. This would work if the session cookie is restricted to > google.com, which would let any web server in, or content served from > the google.com domain (or any subdomain). > > My note about using NoScript to restrict JavaScript execution to > mail.google.com reinforces this suspicion. > > If my suspicion is correct, then google did two things. First, google > appears to allow individuals to create personal domain names in > google.com, and to place arbitrary content in those domains. This > first thing probalby allowed the original poster to place the > JavaScript in a location where it could access the google.com cookie. > Second, google apparantly did not restrict the gmail cookie to > mail.google.com. This second thing allowed the JavaScript from the > personal system at somewhere.google.com to access the cookie. > > > Of course, I only did a cursory glance at the source of the webpage, > so I may be wrong :) But, we can be reasonably sure it's not > exploiting a problem in the browser, since the issue appears to be > cross browser. Well, let me just say that NoScript will not save you here in my example. Try this to see how to really mess with your brain... * Open Firefox 2.x (delete all cookies/cached objects if you like, etc) * Check an email in Google * Visit my PoC code page in a new tab * Click on the Google tab and try to read an email * Something went wrong... * Log back into Google * Browse around your email, or not, doesn't matter * Merely click on the tab for my PoC webpage * Something goes wrong again... Just clicking a tab in Firefox can mess with your Google account? Details will be released this Friday and will also include an exploit for Yahoo as well. Fair warning... -- Kristian Erik Hermansen "I have no special talent. I am only passionately curious." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists