Gmail CSRF Vulnerability with Corresponding Proof-of-concept
A CSRF (Cross-Site Request Forgery) flaw in Google's Gmail that makes the widely used e-mail service vulnerable to attacks has been known since 2007, but a proof-of-concept was released for this flaw on March 3, 2009.
When a Gmail account owner accesses the page that may trigger the attack, it potentially allows the attacker to change that user's password. Consequently, the attacker is able to elude the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) limitations for account authentication, said IsecAuditors, Auditors of Internet Security via their vulnerability disclosure.
Security experts said that CSRF attacks are both dangerous and tricky. Also, people sometimes mistake CSRF attacks for XSS (Cross-Site Scripting) attacks, which are different because they require the exploitation of website code for its execution so that malevolent SQL commands or Denial-of-Service commands can be issued on the web page. Subsequently, upon completing the XSS process, the payload such as computer Trojan or other malware is installed.
Conversely, CSRF attacks do not require issuing of any command on a web page. These are launched automatically simply with the victim going to a page that is infused with malware. The problem with Google was exactly this.
Meanwhile, a Google Spokesman said that it would be hard to block the CSRF attack, as reported by SCMagazineUS on March 4, 2009. Although Google knew about the problem for sometime, it does not consider the case as a critical vulnerability, the spokesman added. The reason they gave was that for the exploit to succeed, the attacker must be able to accurately guess the password of a user within the time the user is on the attacker's site, the spokesman related.
Commenting on the technique, Dancho Danchev, Independent Security Advisor and an analyst of cyber threats revealed via a post on his own blog that cyber attackers possess numerous tactics with which they can obtain a Gmail user's password. These range from simple phishing schemes to approaches that are more efficiency-centered, as reported by ZDNet on March 4, 2009.
Google meanwhile declared that it is trying to mitigate the problem.
Related article: Gmail Users at the Mercy of Firefox Exploit
» SPAMfighter News - 14-03-2009