Google Blogoscoped

Monday, September 25, 2006

Google Cross-site Request Forgery

Dwayne C. Litzenberger exposes a Cross-site Request Forgery (XSRF) vulnerability with Google that allows other sites to change your Google language preferences. He explains that this kind of vulnerability occurs “when a website is able to fool a user into doing things on another website that the user wouldn’t actually want to do.” Dwayne offers a sample link which, when clicked, changes your Google homepage to Irish.

With Firefox, I could even reproduce this using a hidden Iframe on a page... this one will make your visitor’s Google homepage speak Elmer Fudd (remove breaks):

<iframe style="display: none" src="http://www.google.com/setprefs?hl= xx-elmer&amp;submit2=Save%20Preferences%20&amp;prev= http://www.google.com/&q=&submit= Save%20Preferences%20"></iframe>

[Thanks Roger Browne and Ionut Alex. Chitu in the forum!]

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!