Tuesday, November 25, 2008

Gmail flaw can make you lose your domain or more

| Armando Romeo |
Yesterday a new POC appeared online. A new Gmail flaw, a mixture of CSRF and XSS, targeting gmail filters is capable of taking out accounts by redirecting your emails to attacker owned email addresses.

The Gmail filter is capable of setting up rules based on the sender email address. These rules include redirecting to another email account and deleting the message. This is just what Brandon needed to setup his Godaddy's account hijacking POC.

The attack goes as follows:
  • The victim's Gmail cookie is stolen to unveil the GMAIL_AT value. This is a session-bound authorization key needed later in the attack (XSS)
  • The victim is induced into visiting Gmail triggering a new filter that redirects all the emails coming from an online service, for the POC Godaddy. The victim must have used the Gmail email to register on the online service. This is where the GMAIL_AT values turns useful as the CSRF request to add a new filter needs this value to be successfully triggered (CSRF)
To take over the Godaddy account, Brandon used the Reset Password form. Godaddy's authorization code to reset the password would then be redirected to the hacker's email.

This can be adjusted to a number of other services online.
The attack is not as easy as it seems. The most difficult part is to retrieve the GMAIL_AT value through a xss. Using NoScript would help while waiting for Google to patch the flaw.

Free Security Magazines