Beware while using GMail....
2 views
Skip to first unread message
Rikin Shah
Dec 26, 2007, 7:35:22 AM12/26/07
to sky...@googlegroups.com
--
Thanks,
Rikin Shah.
Chinmay Patel
Dec 26, 2007, 1:24:29 PM12/26/07
to sky...@googlegroups.com
Well.. morale of the story... NEVER USE FIREFOX...:P
<Original Post Content Removed to save bandwidth>
Chinmay
Chinmay
Arpan Patelia
Dec 27, 2007, 2:00:33 PM12/27/07
to sky...@googlegroups.com
Does anyone have details on this evil site and gmail threat? It would be interesting to know whether it's a gmail threat or a browser specific issue?--
d1g1tally y0urs,
Arp@n.
http://simplyappu.blogspot.com/
---
"LIVING MIGHT MEAN TAKING CHANCES, BUT THEY ARE WORTH TAKING.
LOVING MIGHT BE A MISTAKE, BUT ITS WORTH MAKING........"
d1g1tally y0urs,
Arp@n.
http://simplyappu.blogspot.com/
---
"LIVING MIGHT MEAN TAKING CHANCES, BUT THEY ARE WORTH TAKING.
LOVING MIGHT BE A MISTAKE, BUT ITS WORTH MAKING........"
Chinmay Patel
Dec 27, 2007, 3:32:56 PM12/27/07
to sky...@googlegroups.com
Arey yaar it is browser independent...but as you know, I like to squash F(***)irefox all the times.. I did it. The game here is a cross-site scripting attack, what happens in a tabbed-browsing enabled browser a new tab or even in old fashioned browsers - A child window of current window will inherit EVERYTHING from the parent, so it will have direct access to any SESSION your browser had with any WEB RESOURCE. In this case, Gmail, based heavily on AJAX, can be exploited easily if the person knows how to do CERTAIN things.
To reproduce this behavior
1. Open your Gmail A/C.
2. Launch a new window from IE or open a tab.
3. Go to any Web site you like.
4. In address bar, type gmail.com
5. Instead of login page, you will be taken to your A/C inbox.
6. NOW.......... think of a smart coder(naah.. not you..:P), having some what knowledge of Gmail Internals(Not so big deal if you have time and dedication/passion to do something creative) and DHTML/AJAX(sigh....) can create a web page that directly calls Gmail AJAX-enabled methods to do SOME thing. So if you open your Gmail A/C and then his web page his SOME thing will run in your A/Cs context.
I hope the above explanation makes sense to most of the community members. If you want more information, please feel free to spam the community. :P
Also to mitigate this behavior, ALWAYS copy the link whenever you get a mail and that asks you to open some web page and open it in a new window. I just said ALWAYS 'cause I DONT trust known websites too.
<<ALL REPETITIVE CRAP REMOVED>>
<<ALL REPETITIVE CRAP REMOVED>>
Chinmay
Arpan Patelia
Dec 28, 2007, 1:29:44 PM12/28/07
to sky...@googlegroups.com
Thanks Chinmay for a very nice explanation and steps to reproduce this behaviour. I never thought of it being an XSS. However, this bug is taking me away neither from GMail nor from f(I)r(E)fox.
I believe that this bug is there for long time now for other service providers as I have M$ Exchange Server - webmail feature asking me to close the tab/window I load it into. And if I don't close that tab/window then I can easily reopen my previous session. However I am not aware of any API stuff that can be used to exploit it. Afterall, it's closed source.. ;-). Or it has something to do with browser cookies(M$ Exchange webmail case).
Once again thanks a lot for sharing your insights with us.
Kody
http://www.kde.org/
I believe that this bug is there for long time now for other service providers as I have M$ Exchange Server - webmail feature asking me to close the tab/window I load it into. And if I don't close that tab/window then I can easily reopen my previous session. However I am not aware of any API stuff that can be used to exploit it. Afterall, it's closed source.. ;-). Or it has something to do with browser cookies(M$ Exchange webmail case).
Once again thanks a lot for sharing your insights with us.
Kody
http://www.kde.org/
Chinmay Patel
Dec 28, 2007, 11:47:09 PM12/28/07
to sky...@googlegroups.com
You are always welcome Kody. Problem with us is we(all of us), most of the times don't ask the right questions and then we cry about wrong answers. Anywayz, this is definitely a very well crafted
XSS(pronounced as X - Cross, S - Site, S - Scripting) attack and as long as the sites use cookies or any other mechanism for that matter to maintain the session yes you can use XSS. The same thing goes for Microsoft Exchange Server too. But at Microsoft they use
Anti XSS Library and if I am not wrong that takes care of this kind of attacks very easily. Before they redirect you from the mail they sanitize the link, I will look into this and let you know what exactly goes behind the scenes, but in Exchange 2007 Web Access, links you open goes from a page that opens it in a new window but before they do it they sent it to an intermediate page that clears session info before actual redirection to the external link happens.
Also this is technically not a bug.. or if its a bug.. its by design, by nature of the web/http( Please dont jump on me.. I am not saying the Web is http).. it is stateless.. and there must be some mechanism to maintain the state, and side effect is this. Also think of yourself login again and again on Gmail to check your emails or even do a simple chat. Hotmail uses URL based session state(Please correct me if I am wrong) but thats a different story altogether. And it has its own set of Pros and Cons.
All I suggest here is if we act with little caution from our end, we will be safe(Hopefully...)
Also while writing this, I just got a nice link from my RSS reader, Check it out : Security Vulnerability Research & Defense
Dhruvin Gajjar
Dec 30, 2007, 2:00:58 PM12/30/07
to sky...@googlegroups.com
Excellent Chinmay,
I agree to what you have noted here. It's not a bug. It's by design. It's by design of every system. Even in real world scenario that happens. Just for example, the recenetly concluded assembly elections are similar in nature.
Reply all
Reply to author
Forward
0 new messages