Monday, September 25, 2006
Google Cross-site Request Forgery
Dwayne C. Litzenberger exposes a Cross-site Request Forgery (XSRF) vulnerability with Google
that allows other sites to change your Google language preferences. He explains that this kind of vulnerability occurs “when a website is able to fool a user into doing things on another website that the user wouldn’t actually want to do.” Dwayne offers a sample link
which, when clicked, changes your Google homepage to Irish.
With Firefox, I could even reproduce this using a hidden Iframe on a page... this one will make your visitor’s Google homepage speak Elmer Fudd (remove breaks):
<iframe style="display: none" src="http://www.google.com/setprefs?hl=
[Thanks Roger Browne and Ionut Alex. Chitu in the forum!]
>> More posts
This site unofficially covers Google™ and more with some rights reserved. Join our forum!