Full Disclosure: Re: Google / GMail bug, all accounts vulnerable

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: Google / GMail bug, all accounts vulnerable

From: "jipe foo" <foojipe () gmail com>
Date: Wed, 12 Dec 2007 12:07:23 +0100

2007/12/12, Kristian Erik Hermansen <kristian.hermansen () gmail com>:

On Dec 11, 2007 6:25 PM, coderman <coderman () gmail com> wrote:

favicons are handy

... even if handled quite differently between browser types/versions.

Hi,

Bingo to coderman, the only security dude here who gets it.  You would
be surprised the number of ridiculous personal emails I got regarding
this issue.  Crowd SuRFing is here to stay...


Hum... am I missing the point or is that just a matter of redirection
with the favicon (and the Gmail logout CRSF is not really new...) ?

I get approximately the same behavior by just putting a simple
redirection in an apache .htaccess [1].

Moreover just switching between tabs does not log me off on my system
[2] (as it does not reload the nasty icon...).

1. Redirect 301 /favicon.ico http://mail.google.com/mail/?logout
2. Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071204
Ubuntu/7.10 (gutsy) Firefox/2.0.0.11


Best,

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Re: Google / GMail bug, all accounts vulnerable, (continued)