Gmail Vulnerability: All hype?
Wednesday, November 26th, 2008As far as I know this has not been patched yet.
There is a very simple solution to monitoring this problem. Simply adding your own filter with an alternative email address. I just tested this and while the email is sent away from your inbox, it is sent to both addresses. This way you will atleast have a record, and if you check that address more regularly it will act as a notification system.
The exploit is not quite as glamorous as that article depicts either. It’s a Cross Site Request Forgery vulnerability introduced by an improperly implemented token key-pair. As the author mentions, the token should be changed at each request, rather than each session. As mentioned in the article, both the ‘Session Authorization Key’, the token, and the ‘Unique Account Identifier’, which I assume is something like the session key are required. Neither is trivial. The session key would require a vulnerability, such as Cross Site Scripting or Tracing vulnerability, to be accessed. The token must be read from the page that you are posting ‘from.’ Because of JavaScript’s sandbox, this cannot be done through the use of an iFrame or AJAX request. It must be done from the client’s localhost or the domain, in this case Google.
Obviously it is possible, since Google has responded to the threat and proof has been shown of domains being stolen, but nothing new has happened here. It is simply a clever implementation of a few common tricks.
http://geekcondition.com/2008/11/23/gmail-security-flaw-proof-of-concept/
http://googleonlinesecurity.blogspot.com/2008/11/gmail-security-and-recent-phishing.html