Google downplays severity of Gmail CSRF flaw

Yesterday, Vicente Aguilera Diaz from Internet Security Auditors released proof of concept of a CSRF (Cross-Site Request Forgery) vulnerability in Google’s Gmail, which he originally communicated to Google two years ago. The CSRF flaw affects Gmail’s “Change Password” function, since according to Diaz the session cookie is automatically sent by the browser in every request making the attack possible.

Google’s response came fast, and it’s in the form of - “We do not consider this case to be a significant vulnerability.” :

We’ve been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user’s password within the period that the user is visiting a potential attacker’s site,” the spokesperson said. “Despite the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue. We always encourage users to choose strong passwords, and we have an indicator to help them do this.

Compared to the futile password guessing attempts in order to execute the attack, nothing can replace flaw-independent approaches like social engineering. From a pragmatic perspective, malicious attackers have an extensive number of tactics to chose from if they were trying to obtain your Gmail password. Starting from plain simple phishing campaigns, and going to a more efficiency-centered approaches - remember the G-Archiver fiasco?

Google’s most recently fixed flaws across its web properties include October 2008’s cross domain frame injection vulnerability, November 2008’s XSS in Google’s accounts SSL login page, and January 2009’s Google sites reflective cross-site scripting flaw.

[Source: zdnet]