Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in your inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
Go

Gmail CSRF Vulnerability with Corresponding Proof-of-concept

A CSRF (Cross-Site Request Forgery) flaw in Google's Gmail that makes the widely used e-mail service vulnerable to attacks has been known since 2007, but a proof-of-concept was released for this flaw on March 3, 2009.

When a Gmail account owner accesses the page that may trigger the attack, it potentially allows the attacker to change that user's password. Consequently, the attacker is able to elude the CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) limitations for account authentication, said IsecAuditors, Auditors of Internet Security via their vulnerability disclosure.

Security experts said that CSRF attacks are both dangerous and tricky. Also, people sometimes mistake CSRF attacks for XSS (Cross-Site Scripting) attacks, which are different because they require the exploitation of website code for its execution so that malevolent SQL commands or Denial-of-Service commands can be issued on the web page. Subsequently, upon completing the XSS process, the payload such as computer Trojan or other malware is installed.

Conversely, CSRF attacks do not require issuing of any command on a web page. These are launched automatically simply with the victim going to a page that is infused with malware. The problem with Google was exactly this.

Meanwhile, a Google Spokesman said that it would be hard to block the CSRF attack, as reported by SCMagazineUS on March 4, 2009. Although Google knew about the problem for sometime, it does not consider the case as a critical vulnerability, the spokesman added. The reason they gave was that for the exploit to succeed, the attacker must be able to accurately guess the password of a user within the time the user is on the attacker's site, the spokesman related.

Commenting on the technique, Dancho Danchev, Independent Security Advisor and an analyst of cyber threats revealed via a post on his own blog that cyber attackers possess numerous tactics with which they can obtain a Gmail user's password. These range from simple phishing schemes to approaches that are more efficiency-centered, as reported by ZDNet on March 4, 2009.

Google meanwhile declared that it is trying to mitigate the problem.

Related article: Gmail Users at the Mercy of Firefox Exploit

» SPAMfighter News - 14-03-2009

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next