http://www.securiteam.com/securitynews/5ZP010UQKK.html
<<... GMail is vulnerable to CSRF attacks in the "Change Password" functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request...>>
Interesting part is the time line July 30, 2007: Vulnerability acquired by Internet Security Auditors. August 1, 2007: Initial notification sent to the Google security team. August 1, 2007: Google security team request additional information. about and start review the vulnerability. August 13, 2007: Request information about the status. August 15, 2007: Google security team responds that they are still working on this. September 19, 2007: Request for the status. No response. November 26, 2007: Request for the status. No response. January 2, 2008: Request for the status. No response. January 4, 2008: Request for the status. No response. January 11, 2008: Request for the status. No response. January 15, 2008: Request for the status. Automated response. January 18, 2008: Google security team informs that don't expect behaviour to change in the short term giving the justification. We deconstruct those arguments as insufficient. No more responses. December 30, 2008: Request for the status. Confirmation from Google they won't change the consideration about this. January 11, 2009: Publication to Bugtraq. Rejected twice. No reasons. March 03, 2009: General publication for disclosure in other lists. |
Basically, if you have a strong password you are safe from this. The exploit requires the attacker to guess your current password before they can change it.
If you have a weak password, this attack is only one of your problems. |
it's like saying to the hacker "hey, my previous password was '1234', now find the new one!". It's not a hack, it's a guess... |