lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060516204828.18629.qmail@securityfocus.com>
Date: 16 May 2006 20:48:28 -0000
From: dan@...hology.washington.edu
To: bugtraq@...urityfocus.com
Subject: Gmail/Gtalk web client DoS


Gmail/Gtalk web client DoS

Summary

It is trivial to freeze the browser of a known user who is currently using Gmail with the Gtalk feature enabled.  This could lead to a denial of service attack against any user of Gmail who is using the web client.

Technical Details

Gtalk within Gmail converts some incoming emoticons into animated gifs.  Sending a large quantity at once will cause the recipient's browser to lock up until the message is fully converted.  With relatively few (100) emoticons, you can freeze a browser for a few minutes.  Larger quantities, or multiple messages could extend this time indefinitely.  If the Gmail web client is used to send the message, the sender's browser will also lock up.

The standalone Google Talk client for Windows does not suffer from this problem, and is the easiest way to send the messages to a target.  In theory, any properly configured Jabber client could be used.  Conceivably, modified Jabber clients could be configured to run a widespread DoS attack against active Gmail users at a low cost to the attacker, since the message size is small and requires little bandwidth. 

Known Affected Browsers:
Firefox 1.5.0.3
Internet Explorer 6.0
Internet Explorer 7.0 Beta 2
Seamonkey 1.0

Known Unaffected Browsers: 
Safari 1.3.2

Any browser which the Gtalk client does not run in will be unaffected.


Workaround

Disabling the Gtalk feature while using Gmail will protect a user, at the cost of the ability to chat.

Credits

Special thanks to Kevin Fleming for help research this issue.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ