Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Gmail Information Disclosure Vulnerability
From: amforward () mailsurf com
Date: Sun, 4 Jul 2004 19:10:44 +0000

Brief
--------------
While I was playing with Gmail, I found a bug that may disclose
information about the users currently attempting to register a new
Gmail account. This seems to be a vulnerability with low severity (at
least until now).

CheckAvailability Script
--------------
In the registration page, the "Check Availability" button queries a
certain script, namely /accounts/CheckAvailability. The script takes
the desired username, and checks if it is available. If it is not
available, it suggests other usernames by contactenating, for example,
your last name to it.

The Problem
--------------
There seems to be a thread-safety problem with CheckAvailability
script. When the script is under heavy stress, it may return answers
to queries that are not yours, revealing others' desired usernames,
and first and last names.(see attached screen shot)


Reproduction
--------------
To reproduce it, you should:

AND
a. Have a valid Gmail invitation
b. Frequently Invoke CheckAvailability by
~  OR
~  1. Creating a tool that automates the script invocation.
~  2. Having the patience and keep clicking the button frequently (this
works too!).


I have not yet carefully studied the script, but I think it might not
be a problem with this script only, but others as well. Your thoughts
are appreciated.

Regards,
Ahmed Motaz

------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault