[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2962.65.88.218.157.1197494848.squirrel@slashmail.org>
Date: Wed, 12 Dec 2007 16:27:28 -0500 (EST)
From: "Steven Adair" <steven@...urityzone.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Google / GMail bug, all accounts vulnerable
Glad to see we figured it out. :) Yes, "Cross Site Request Forgery" would
be the correct term referenced by the acronym in all of the replies
(subsequently also the first result in a normal Google query). I'm still
not quite sure what the big deal on the favicon stuff in terms of this
issue. So lets say you completely disabled favicons altogether. Now when
you visit the original PoC - it no longer works. However, if you simply
had a 302 or mod_rewrite rule for any image that you actually had written
into the source of your page, you could achieve the same result.
Maybe the favicon.ico method is slightly transparent to the user as it's
not present when you view the source. However, you could be almost as
sneaky by only throwing a redirect to the Google logout page if the
referer field includes your root page. Otherwise if the user directly
requests it.. it displays a real image.
Explain to me what I am missing here.
> On Wednesday 12 December 2007 08:05:35 Steven Adair wrote:
>> You aren't really able to take action on Google's site per the
>> real definition of CSRF.
>
> CRSF: Canadian Rope Skipping Federation (Google's "I'm feeling lucky")
> Center for Research on Sustainable Forests
> Canadian Rhodes Scholars Foundation
> CReative Santa Fe
> Consolidated Rail System Federation
>
> I keep wondering when people on this thread will discuss the relative
> merits
> of various rope materials? That is the "real definition" isn't it? ;)
>
> On a more serious note, I agree with the question; it doesn't sound like a
> full cross site request forgery. Still Coderman's reply to your questions
> lead me to search for information on the Firefox
> "browser.chrome.favicons."
> That lead to this bit of information:
>
> "Caveats
>
> " * browser.chrome.site_icons must be true for this preference to have
> an
> effect.
> " * Conversely, browser.chrome.site_icons should be false when this
> preference is false to disable site icons and favicons completely."
>
> http://kb.mozillazine.org/Browser.chrome.favicons
>
> Given Coderman's statement about meeting "fortuitously in a black hat
> tryst,"
> I set both to false. Thanks all for the info.
>
> And for those people, like myself, who aren't up on all the acronymns,
> here is
> a link for CRSF:
>
> https://secure.wikimedia.org/wikipedia/en/wiki/Csrf
>
> --
> Hawaiian Astronomical Society: http://www.hawastsoc.org
> HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists