Google Blogoscoped

Monday, September 25, 2006

Google Cross-site Request Forgery

Dwayne C. Litzenberger exposes a Cross-site Request Forgery (XSRF) vulnerability with Google that allows other sites to change your Google language preferences. He explains that this kind of vulnerability occurs “when a website is able to fool a user into doing things on another website that the user wouldn’t actually want to do.” Dwayne offers a sample link which, when clicked, changes your Google homepage to Irish.

With Firefox, I could even reproduce this using a hidden Iframe on a page... this one will make your visitor’s Google homepage speak Elmer Fudd (remove breaks):

<iframe style="display: none" src=" xx-elmer&amp;submit2=Save%20Preferences%20&amp;prev= Save%20Preferences%20"></iframe>

[Thanks Roger Browne and Ionut Alex. Chitu in the forum!]


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!