[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1088968244.40e8563427778@www.mailsurf.com>
From: amforward at mailsurf.com (amforward@...lsurf.com)
Subject: Gmail Information Disclosure Vulnerability
Brief
--------------
While I was playing with Gmail, I found a bug that may disclose
information about the users currently attempting to register a new
Gmail account. This seems to be a vulnerability with low severity (at
least until now).
CheckAvailability Script
--------------
In the registration page, the "Check Availability" button queries a
certain script, namely /accounts/CheckAvailability. The script takes
the desired username, and checks if it is available. If it is not
available, it suggests other usernames by contactenating, for example,
your last name to it.
The Problem
--------------
There seems to be a thread-safety problem with CheckAvailability
script. When the script is under heavy stress, it may return answers
to queries that are not yours, revealing others' desired usernames,
and first and last names.(see attached screen shot)
Reproduction
--------------
To reproduce it, you should:
AND
a. Have a valid Gmail invitation
b. Frequently Invoke CheckAvailability by
~ OR
~ 1. Creating a tool that automates the script invocation.
~ 2. Having the patience and keep clicking the button frequently (this
works too!).
I have not yet carefully studied the script, but I think it might not
be a problem with this script only, but others as well. Your thoughts
are appreciated.
Regards,
Ahmed Motaz
------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gmail-screenshot.gif
Type: image/gif
Size: 11389 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040704/c4224592/gmail-screenshot.gif
Powered by blists - more mailing lists