Google Blogoscoped

Forum

Google Cross-site Request Forgery

Roger Browne [PersonRank 10]

Monday, September 25, 2006
3 years ago1,629 views

Slashdot user "Dwonis" drew my attention to a page by Dwayne C Litzenberger where he demonstrates how easy it is to change the Google preferences of a person who visits your website:

dlitz.net/stuff/xsrf/

Dwayne's example comprises this "harmless-looking" link:
dlitz.net/stuff/xsrf/poodles/
which when clicked will change your Google language to Irish. Dwayne also provides a link to switch back to English:
google.com/setprefs?hl=en& ...

Ionut Alex. Chitu [PersonRank 10]

3 years ago #

So the problem here is that you can change the settings using a GET.

You can also load an URL like this in a hidden iframe, right?

google.com/setprefs?hl=fr& ...

This thread is locked as it's old... but you can create a new thread in the forum. 

Forum home

>> More posts

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement
Books about Google on Ebay
Want to make money with your website? AllPosters.com Affiliates Program Advertise here?

 

This site unofficially covers Google™ and more with some rights reserved. You can subscribe to the feed, email your tips and join our forum!