« Free Automated Web Application Firewall From Armorlogic | Main | Ruby on Rails Security Cheatsheet »

Google Fixes Gmail Cross-site Request Forgery Vulnerability

"Google has fixed a vulnerability in their Gmail web based email service which would have allowed internet attackers to steal mail messages from users without being noticed.

The attack works by forcing a logged-in user to add a mail filter to their Gmail account, thereby allowing their mail to be forwarded to an external mail address controlled by the attacker. Because the Gmail service did not adequately verify the origin of such requests, it was possible for attackers to create their own web pages that used JavaScript to automatically make such requests on behalf of their victims. In essence, a Gmail user would visit one of these pages and have their account compromised without necessarily realising anything is awry. Only close inspection of the Filters tab in the Gmail Settings menu would reveal what had happened. "

The CSRF FAQ: Cross-site request forgery
Article Link: http://news.netcraft.com/archives/2007/09/30/g..


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!