=============================================
INTERNET SECURITY AUDITORS ALERT 2007-003
- Original release date: August 1st, 2007
- Last revised: January 11th, 2009
- Discovered by: Vicente Aguilera Diaz
- Severity: 3/5
=============================================
I. VULNERABILITY
-------------------------
CSRF vulnerability in GMail service
II. BACKGROUND
-------------------------
Gmail is Google's free webmail service. It comes with built-in Google
search technology and over 2,600 megabytes of storage (and growing
every day). You can keep all your important messages, files and
pictures forever, use search to quickly and easily find anything
you're looking for, and make sense of it all with a new way of viewing
messages as part of conversations.
III. DESCRIPTION
-------------------------
Cross-Site Request Forgery, also known as one click attack or session
riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of
malicious exploit of websites. Although this type of attack has
similarities to cross-site scripting (XSS), cross-site scripting
requires the attacker to inject unauthorized code into a website,
while cross-site request forgery merely transmits unauthorized
commands from a user the website trusts.
GMail is vulnerable to CSRF attacks in the "Change Password"
functionality. The only token for authenticate the user is a session
cookie, and this cookie is sent automatically by the browser in every
request.
An attacker can create a page that includes requests to the "Change
password" functionality of GMail and modify the passwords of the users
who, being authenticated, visit the page of the attacker.
The attack is facilitated since the "Change Password" request can be
realized across the HTTP GET method instead of the POST method that is
realized habitually across the "Change Password" form.
IV. PROOF OF CONCEPT
-------------------------
1. An attacker create a web page "csrf-attack.html" that realize many
HTTP GET requests to the "Change Password" functionality.
For example, a password cracking of 3 attempts (see "OldPasswd"
parameter):
...
...
or with hidden frames:
...