Google Blogoscoped

Forum

Google Cross-site Request Forgery

Roger Browne [PersonRank 10]

Monday, September 25, 2006
17 years ago4,124 views

Slashdot user "Dwonis" drew my attention to a page by Dwayne C Litzenberger where he demonstrates how easy it is to change the Google preferences of a person who visits your website:

http://www.dlitz.net/stuff/xsrf/

Dwayne's example comprises this "harmless-looking" link:
http://www.dlitz.net/stuff/xsrf/poodles/
which when clicked will change your Google language to Irish. Dwayne also provides a link to switch back to English:
http://www.google.com/setprefs?hl=en&submit2=Save%20Preferences%20&prev=http://www.google.com/&q=&submit=Save%20Preferences%20

Ionut Alex. Chitu [PersonRank 10]

17 years ago #

So the problem here is that you can change the settings using a GET.

You can also load an URL like this in a hidden iframe, right?

http://www.google.com/setprefs?hl=fr&submit2=Save%20Preferences%20&prev=http://www.google.com/&q=&submit=Save%20Preferences%20

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!