Thursday, September 27, 2007

Scary Gmail Zero-Day Exploit

This should rattle your cage, a frighteningly easy zero-day exploit using Google Gmail. It works like this. Someone logs into their Gmail account, then visits a malicious site during the session. The bad site creates a rogue filter in their e-mail account and redirects all their e-mail to the attacker.

The exploit was uncovered by Petko Petkov, a web pen tester in the UK. Called cross-site request forgery (CSRF), Petkov posted details on the Gnucitizen web site.

Ryan Naraine had more details on his Zero Day blog.


Blogger skotfred said...

I tried it and it works transparently - time to get 'neurotic' about verifying your filters for GMail on a regular basis.

4:51 AM  

Post a Comment

<< Home