Cross-Site Request Forgery, also known as one click attack or session
riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a kind of
malicious exploit of websites. Although this type of attack has
similarities to cross-site scripting (XSS), cross-site scripting
requires the attacker to inject unauthorized code into a website,
while cross-site request forgery merely transmits unauthorized
commands from a user the website trusts.

GMail is vulnerable to CSRF attacks in the "Change Password"
functionality. The only token for authenticate the user is a session
cookie, and this cookie is sent automatically by the browser in every
request.

An attacker can create a page that includes requests to the "Change
password" functionality of GMail and modify the passwords of the users
who, being authenticated, visit the page of the attacker.

The attack is facilitated since the "Change Password" request can be
realized across the HTTP GET method instead of the POST method that is
realized habitually across the "Change Password" form.

Full Disclosure: [ISecAuditors Security Advisories] CSRF vulnerability in GMail service (http://seclists.org/fulldisclosure/2009/Mar/0029.html)

Scroll down to "disclosure timeline". Seems Google has no plans to fix this :rolleyes:

And Google has no plans to fix this...that's really unfortunate. Since a few million pple use GMail.


and what's really bad is this:


In any case, the attacker evades the restrictions imposed by the
captcha of the authentication form.


This is odd as I don't see any captcha in my
Gmail account when wanting to change the password.

Though, could one not regain thier email account via the secret question technique? I am sure one could unless the attacker gains access and then proceeds to change the question and answer element of the victim's Gmail account.

Though have a look at his:


A user authenticated in GMail visit the "csrf-attack.html" page
controlled by the attacker.

For example, the attacker sends a mail to the victim (a GMail account)
and provokes that the victim visits his page (social engineering). So,
the attacker insures himself that the victim is authenticated.

3. The password cracking is executed transparently to the victim.


One damn good reason to not open links in spam mail in any account you own. Whether its Gmail or your spam email account that you use for what-ever.


And yes, your right re: Google not going ahead to fix the problem:


August 15, 2007: Google security team responds that they are still
working on this.
September 19, 2007: Request for the status. No response.
November 26, 2007: Request for the status. No response.
January 2, 2008: Request for the status. No response.
January 4, 2008: Request for the status. No response.
January 11, 2008: Request for the status. No response.
January 15, 2008: Request for the status. Automated response.
January 18, 2008: Google security team informs that don't expect
behaviour to change in the short term giving
the justification.
We deconstruct those arguments as insufficient.


and then......


December 30, 2008: Request for the status. Confirmation from Google
they won't change the consideration about this.

Pity......

Hi SealLion,

the captcha is seen after a few failed login tries, to verify you're a person and not a bruteforcing robot.

Regarding the secret question, yes, if the attacker changes your password, the secret question, and its answer, he'll effectively have locked you out of your account. But you can still report this to Google's support group, and if you can prove the mailbox is really yours (your IP range has used it before the attacked hacked it, etc.), they'll give it back to you.

the captcha is seen after a few failed login tries, to verify you're a person and not a bruteforcing robot.



ah, I see. This I wasn't aware of until now actually. Never came across it, yet.