| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: enune at fribble.net (Calum Power)
Subject: Slashdot: Gmail Accounts Vulnerable to XSS
Exploit
Once again, a perfect example of the media misconstruing a security
vulnerability. XSS holes are not (as we all know) an immediate bypass for
any authentication. It can be used, with a bit of work, to steal
cookies/authentication data from unexpecting users, NOT as an immediate
break-into-accounts kiddie tool.
IMHO The Register describes this story much better -
http://www.theregister.co.uk/2004/10/29/gmail_vuln/
"Using a hex-encoded XSS link, the victim's cookie file can be stolen by a
hacker, who can later use it to identify himself to Gmail as the original
owner of an email account"
However, the interesting thing I found about this article was this line:
"regardless of whether or not the password is subsequently changed"
Does Gmail use some sort of static security key?
Does anyone have any further details on the security implemented by Google
in their new service?
Cheers,
Calum
--
Calum Power
- Cultural Jammer
- Security Enthusiast
- Hopeless Cynic
enune@...bble.net
http://www.fribble.net
> "A security hole in GMail has been found (an XSS vulnerability) which
> allows access to user accounts without authentication. What makes the
> exploit worse is the fact that changing passwords doesn't help. The full
> details of the exploit haven't been disclosed"
> http://slashdot.org/article.pl?sid=04/10/29/1830247
> --
> Shoshannah Forbes
> http://www.xslf.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists