Flaws in Google Services Encourage Phishers to Create Spoof Pages
According to a demonstration given by Adrian Pastor, Security Expert at the GNUCitizen, Google's Gmail service has a number of vulnerabilities that could allow phishers to easily create genuine-looking spoof pages with which they could steal users' account credentials, as reported by ITWeb on October 13, 2008.
Pastor further said that Google Calendar and other sophisticated Google services are vulnerable to similar deception.
Pastor also posted a frame-injection proof-of-concept example against Google on the GNUCitizen blog. He elucidated that the frame insertion works by adding the URL of a third party's Website to the "targeturl" parameter in the site address rather than adding an actual contact page.
With the proof-of-concept example, a legitimate appearing Gmail login page is crafted that could be utilized to launch phishing attacks against users. And if any user fills out his username and password and clicks on "submit", his login details would go to a third party page that the attacker controls.
Furthermore, Pastor said that the attacker was able to display an illegal third-party page although the actual domain, mail.google.com (in the current case) was displayed in the address bar. According to Pastor, the perfection of attacks with frame injections is that it impersonates a reliable entity without having to bypass XSS/HTMLi filters, or to even hack into the server intended for attack, as reported by SCMagazine on October 13, 2008.
Security specialists said that Pastor's proof-of-concept example exploits cross-domain web application sharing security loophole in Google's Website, identified by Aviv Raff, a Security Researcher, in April 2008. Raff explained on his blog that Google applications like Google Maps, News and Images as well as Gmail could be accessed over multiple sub-domains. In addition, the use of Google bugs in combination with other flaws could pose serious problems.
Meanwhile, commenting on the particular problem, a Google spokesperson said that the company is aware about the possible impact of such behaviors at the time when services are hosted across many domains. Further, Google ensures restriction of the same wherever it expects associated security problems, as reported by SCMagazine on October 13, 2008.
Related article: Flaws Detected in Yahoo Music Jukebox
» SPAMfighter News - 21-10-2008