|
Full Disclosure
mailing list archives
Re: Slashdot: Gmail Accounts Vulnerable to XSS Exploit
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Sat, 30 Oct 2004 18:43:03 -0700
there is a [x] box..
"Don't ask for my password for 2 weeks."
this sets the users cookie. Gmail uses the cookie for authentication.
XSS holes are not (as we all know) an immediate bypass for
any authentication.
right
It can be used, with a bit of work, to steal
cookies/authentication data from unexpecting users, NOT as an immediate
break-into-accounts kiddie tool.
right
However, the interesting thing I found about this article was this line:
"regardless of whether or not the password is subsequently changed"
Does Gmail use some sort of static security key?
Does anyone have any further details on the security implemented by Google
in their new service?
see above.
m.wood
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
| 
Intro
