| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4ef5fec60712120655g18c9a412ge47f7ec9b6d8ae59@mail.gmail.com> Date: Wed, 12 Dec 2007 06:55:41 -0800 From: coderman <coderman@...il.com> To: "jipe foo" <foojipe@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Google / GMail bug, all accounts vulnerable On Dec 12, 2007 3:07 AM, jipe foo <foojipe@...il.com> wrote: > ... > Hum... am I missing the point or is that just a matter of redirection > with the favicon (and the Gmail logout CRSF is not really new...) ? > Moreover just switching between tabs does not log me off on my system > [2] (as it does not reload the nasty icon...). this is very dependent on browser version as cache behavior for the favicon varies quite a bit. to force an example, clear your cache and then navigate over the tab with the bad favicon. in some ffox versions these icons are regularly loaded even when not viewing the page, or other activities which may reference the favicon (bookmarks, etc). it's not really new, but the nice trick here is that all scripting can be disabled, a paranoid proxy in place, and still the icon(s) will be requested, and the fast redirect effective. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists