Google Blogoscoped


Another GMail CSRF Vulnerability

Rohit Srivastwa [PersonRank 10]

Tuesday, March 3, 2009
15 years ago2,988 views

<<... GMail is vulnerable to CSRF attacks in the "Change Password" functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request...>>

Interesting part is the time line
July 30, 2007: Vulnerability acquired by Internet Security Auditors.
August 1, 2007: Initial notification sent to the Google security team.
August 1, 2007: Google security team request additional information. about and start review the vulnerability.
August 13, 2007: Request information about the status.
August 15, 2007: Google security team responds that they are still working on this.
September 19, 2007: Request for the status. No response.
November 26, 2007: Request for the status. No response.
January 2, 2008: Request for the status. No response.
January 4, 2008: Request for the status. No response.
January 11, 2008: Request for the status. No response.
January 15, 2008: Request for the status. Automated response.
January 18, 2008: Google security team informs that don't expect behaviour to change in the short term giving the justification. We deconstruct those arguments as insufficient. No more responses.
December 30, 2008: Request for the status. Confirmation from Google they won't change the consideration about this.
January 11, 2009: Publication to Bugtraq. Rejected twice. No reasons.
March 03, 2009: General publication for disclosure in other lists.

Rohit Srivastwa [PersonRank 10]

15 years ago #

More details

Juha-Matti Laurio [PersonRank 10]

15 years ago #

Google's response:

Roger Browne [PersonRank 10]

15 years ago #

Basically, if you have a strong password you are safe from this. The exploit requires the attacker to guess your current password before they can change it.

If you have a weak password, this attack is only one of your problems.

TOMHTML [PersonRank 10]

15 years ago #

it's like saying to the hacker "hey, my previous password was '1234', now find the new one!". It's not a hack, it's a guess...

Forum home


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!