

CSRF vulnerability found in Gmail; Google not willing to fix it - nickb
http://seclists.org/fulldisclosure/2009/Mar/0029.html

======
cperciva
Not much of a vulnerability -- the attacker still has to guess the victim's
password.

~~~
pmjordan
Only because gmail enforces somewhat safe passwords. Does it look them up in a
dictionary though? You could probably harvest even long-ish dictionary-based
passwords this way if an attacker manages to embed this in a sufficiently high
traffic page.

~~~
tptacek
I don't think you get it. If you could guess a user's password, why would you
bother with this elaborate CSRF attack?

~~~
pmjordan
Fair point. I guess if you had access to a botnet, you could attempt a
similarly broad attack; with this you'd only need access to a popular, less
scrupulous site. (porn, torrent/warez, etc. sites spring to mind)

------
nikblack
not mentioned in the original post is that the change password field also
gives you the option of entering the answer to your 'secret question' rather
than your password as the second token.

you replace the password query params with:

&group1=IdentityAnswer&IdentityAnswer=ANSWER_GUESS

not as improbable to guess since Google do not enforce a standard on the
secret question answer (ie. with 'place you were born' you could just list
major cities and probably get a hit every so often)

if you had access to a high traffic site (thank-you wordpress hax) you would
probably harvest a number of accounts using this in an IFRAME pretty quickly.
you just need to add some javascript to somehow inform you which ones were a
success.

------
extension
I believe the (poorly explained) rationale behind the alert is that the CSRF
allows the attacker to brute force the password without triggering a captcha,
as happens on the main login page after a couple of bad logins.

If you sent out spam containing a CSRF link that tried a dozen or so of the
most common passwords, you might get a few hits, though I don't know why
anyone would bother. Still, if I were Google, I would just fix it.

I'm a bit surprised that Google doesn't have a generic authenticity system for
all of their forms, or if they do, why it would be omitted from this one form.

~~~
tptacek
This all became a moot point when Google supported POP and IMAP, didn't it?

~~~
eli
I'm pretty sure they cut off POP/IMAP access on too many failed attempts and
you have to go to the website.

------
msluyter
I understand that this threat isn't particularly worrisome, but articles like
this one remind me just how dependent I've become on gmail and how vulnerable
as a result. I've now got years of info including everything from purchase
receipts to personal conversations of high sentimental value. If someone were
to either hack my password or simply cause my account to be disabled I'd be
seriously screwed.

I'm now feeling like I need some sort of backup or other protective measure.

------
DenisM
Gmail asks old password before allowing to set new one, so the attack script
is brute-forcing the password by submitting requests from a hostile page
visited by the victim. It will take 150 million HTTP requests to brute-force a
6-letter password from 26 possible letters.

I suspect red flags will come up at google after first couple million
requests. Or the victim will leave the hostile page he was lured to.

~~~
nebula
If the cracker gets to send a couple million requests per victim, I won't be
surprised if she manages to crack passwords of many users. Blind brute force
is definitely not the sharpest knife in the drawer; Dictionary based attacks
might prove much more powerful when it comes to cracking average Joe's
password.

~~~
jrockway
According to this article, Gmail disallows weak passwords. So brute-forcing is
going to be relatively ineffective.

------
tarkin2
If google allows strong passwords such as "Password1" then I'm sure quite a
few users would pick such a simple password, and I'm sure attackers realise
this.

It would be wise if google forced the user to enter the capcha on password
change.

Disallowing GET would be good as well. Otherwise attackers would would have to
use POST, which would mean tricking the user to submit a html form, and I'm
unsure if you can send multiple POST requests per submit.

~~~
tptacek
There are plenty of direct ways to grind GMail passwords. I don't see what
difference this silly attack makes.

~~~
eli
The direct ways of guessing the password run into rate limiting -- it starts
prompting for a CAPTCHA after X failed guesses. That's all this attack avoids.

------
dguido
YHBT

