Hole in Google Mail allows mail to be hijacked

A security flaw in Google Mail reportedly allows attackers to define their own filters on a victim's account in order to redirect certain e-mails to the attacker's address. Several current reports claim that attackers have succeeded in exploiting the vulnerability to get control of victims' domains.

The flaw is essentially a cross-site request forgery (CSRF); in this case, a specially crafted website sets the filter in Google Mail. For the attack to succeed, however, a browser window has to be open with Google Mail, and the victim has to be logged in there when a second browser window pointing to the manipulated website is opened. Once the filter has been set at Gmail, attackers can use the reset function for the victim's domain password to receive an e-mail with instructions to set a new password for the victim's domain. Once the attackers have this new password, they have complete control over the account and the domain, which can then be transferred or released. In mid-2007, a quite similar vulnerability, which reportedly also allowed e-mails to be redirected by means of filters, popped up at Google Mail. Since then, it has been assumed that Google took care of the flaw once and for all back then. It now turns out that this is not the case; analyses show that Google still uses session-based rather than request-based authentication. The latter would, however, protect users from CSRF attacks by requiring attackers to guess the valid HTTP request for a certain ID. Users can protect themselves from CSRF attacks with the NoScript plug-in, which attempts to detect and block suspicious requests. NoScript also provides protection from cross-site scripting attacks. Unfortunately, only users of a Mozilla-based browser, such as Firefox, can use this plug-in.

See also:

• Gmail Security Flaw Proof of Concept, Brandon's description.
• Gmail Exploit May Aid Domain Hijacking Gmail Security Flaw Proof of Concept, Lidija Davis' description

(trk)