|
Posted by jen on September 27, 2007, 12:32 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
> While being logged into Gmail with the brower interface, IF one opens
> another tab/browser window and stumbles across an 'evil' site, the
> 'evil' site can inject a filter into the Filter List. The attacker can
> then forward emails wherever they want via the filter.
> The above site contains graphics that show how this is accomplished.
>> The attack will remain present for as long as the victim has the
>> filter within their filter list, even if the initial vulnerability,
>> which was the cause of the injection, is fixed by Google.
> Bullseye on Google: Hackers expose holes in GMail, Blogspot, Search
> Appliance
> http://blogs.zdnet.com/security/?p=539
>> The unpatched GMail bug, which was demonstrated for me by hacker
>> Petko D. Petkov, is particularly nasty because of the way the exploit
>> works without any user action and the fact that it’s difficult for
>> the average GMail user to know that e-mails are being stolen.
Simple remedy... Use Firefox with No-Script:
GMail POST Mortem, CSRF Countermeasures and NoScript Misconceptions:
http://hackademix.net/2007/09/26/gmail_csrf/
-jen
| 
XML site map