Comments on: Google Vulnerability

By: Gmail Vulnerability caused Domain loss | Domain Name News | Domain News | Expired Domains

Wed, 23 Apr 2008 10:23:17 +0000

[...] The hacker exploited a GMail backdoor to insert a filter that forwards administrative emails to a different email address and subsequently deletes the original email. The cross-scripting vulnerability has since been fixed. [...]

By: Richard

Richard — Tue, 25 Mar 2008 00:23:46 +0000

My girlfriend just told me that she was seeing some “weird messages” on her account, and on inspection it looks like she fell foul of an exploit akin to your second POC quite some time ago – she’s only been getting messages now because the mailserver it’s trying to forward to has been failing.

I didn’t hear about this exploit when it was first found, and I’m reasonably technically-focused; my girlfriend didn’t stand a chance. I’m astonished that Google didn’t send out any kind of alert to their users when they patched the hole, because anyone who’d been exploited would still have the forwarding rule in place even after the patch.

By: Real-word CSRF hack | Mike Andrews

Real-word CSRF hack | Mike Andrews — Sat, 19 Jan 2008 06:45:16 +0000

[...] so as not to reveal the technique (or leave incriminating evidence). Turns out it was a well documented and discussed (at least in webapp security circles) vulnerability in GMail where via CSRF an [...]

By: David Airey :: Graphic and Logo Designer » WARNING: Google’s GMail security failure leaves my business sabotaged

Thu, 17 Jan 2008 10:41:31 +0000

[...] appears that the GMail security issue is fixed, but that won’t remove any previously installed Filters from your GMail [...]

By: Fernando Muñoz

Fernando Muñoz — Mon, 31 Dec 2007 17:07:29 +0000

That’s right Michael.

This is the post where pdp posted about the CSRF http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

Pdp just informed about the vuln on his blog, but didn’t release any details until Google fixed the issue.

By: Michael

Michael — Fri, 28 Dec 2007 21:03:32 +0000

An update on the designer who lost his domain (and got it back again)

http://www.davidairey.co.uk/david-airey-domain-restored.html

Michael

By: Michael

Michael — Fri, 28 Dec 2007 19:06:02 +0000

I think I have resolved my confusion. It isn’t that a user needs to disable forwarding, it is they need to remove the address your attack places in the pop/Forwarding page (unlike the previous attack which worked via filters). Correct?

Many thanks.

Michael

By: Michael Bierman

Michael Bierman — Fri, 28 Dec 2007 14:46:36 +0000

Okay so two different exploits. I am still confused and now concerned as well. Your post is rather unclear about what the second exploit does, how to undo it, or if Google has or hasn’t fixed the issue. Some of us would like to be able to use forwarding again on our accounts!

By: Check your Gmail filters! » thepinkc

Check your Gmail filters! » thepinkc — Fri, 28 Dec 2007 08:03:39 +0000

[...] just finished reading about the Google Vulnerability which was present a few weeks go (but subsequently fixed). Basically, an unscrupulous website could [...]

By: Fernando Muñoz

Fernando Muñoz — Thu, 27 Dec 2007 20:16:04 +0000

Michael: There seems to be some confusion regarding this vulnerability/poc with pdp’s find. This only allowed to use Gmail’s built in option to forward incoming email, pdp’s find used a CSRF on Gmail to inject evil filters. According to what I read, David Airey’s account was attacked by using CSRF.

To reverse my attack, you have to disable Forwarding, and for pdp’s you have to remove evil filters from your filters list.