Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit
From: "Calum Power" <enune () fribble net>
Date: Sun, 31 Oct 2004 13:07:20 +1100 (EST)

Indeed, but surely the cookie information stored should be dependant on
the user's authentication details? It makes sense to use semi-dynamic
cookie information like this, making holes like this one a little more
hard to 'gain and keep' access.


there is a [x] box..

"Don't ask for my password for 2 weeks."

this sets the users cookie. Gmail uses the cookie for authentication.


XSS holes are not (as we all know) an immediate bypass for
any authentication.
right

It can be used, with a bit of work, to steal
cookies/authentication data from unexpecting users, NOT as an immediate
break-into-accounts kiddie tool.
right

However, the interesting thing I found about this article was this line:
"regardless of whether or not the password is subsequently changed"

Does Gmail use some sort of static security key?
Does anyone have any further details on the security implemented by
Google
in their new service?
see above.


m.wood


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]