lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <39128.203.22.23.198.1099180456.squirrel@203.22.23.198>
From: enune at fribble.net (Calum Power)
Subject: Slashdot: Gmail Accounts Vulnerable to XSS 
     Exploit

Once again, a perfect example of the media misconstruing a security
vulnerability. XSS holes are not (as we all know) an immediate bypass for
any authentication. It can be used, with a bit of work, to steal
cookies/authentication data from unexpecting users, NOT as an immediate
break-into-accounts kiddie tool.

IMHO The Register describes this story much better -
http://www.theregister.co.uk/2004/10/29/gmail_vuln/

"Using a hex-encoded XSS link, the victim's cookie file can be stolen by a
hacker, who can later use it to identify himself to Gmail as the original
owner of an email account"

However, the interesting thing I found about this article was this line:
"regardless of whether or not the password is subsequently changed"

Does Gmail use some sort of static security key?
Does anyone have any further details on the security implemented by Google
in their new service?

Cheers,
Calum
--
Calum Power
- Cultural Jammer
- Security Enthusiast
- Hopeless Cynic
enune@...bble.net
http://www.fribble.net

> "A security hole in GMail has been found (an XSS vulnerability) which
> allows access to user accounts without authentication. What makes the
> exploit worse is the fact that changing passwords doesn't help. The full
> details of the exploit haven't been disclosed"
> http://slashdot.org/article.pl?sid=04/10/29/1830247
> --
> Shoshannah Forbes
> http://www.xslf.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ