XSRF vulnerability in GMail service – Round Two

By Rodrigo Montoro on March 4, 2009

We were getting deeper on possibilities about latest XSRF at GMAIL which allow us to brute force in a kind of stealth mode the user’s password using some hidden tag as img, embeded, iframe, java script and other ways . The advisory showed as a “Proof of Concept” a sequence of password brute forcing using “Oldpassword” as a value. Here we were thinking, how about changing from “current password” to a security question (e.g: “What was your first phone number?”) ? That situation was raised because of two facts below:

  1. How many phone combination could we have? 100 millions? 1 billion ? 10 billions ?
  2. How many people when subscribed to gmail would use something like 111-111-1111 or 1111111111  or something stupid as an answer for a security question?
  3. Maybe something like:
service=mail&hl=en&group1=IdentityAnswer&IdentityAnswer=111111111&Passwd=abc123&PasswdAgain=abc123&p=&save=Save

We start wondering that these variations could turn GMAIL XSRF easier to exploit if you compare to a common attack vector such as brute forcing passwords (OK … some people use stupid passwords =) ).

Another question that would naturally rise would be:

  1. what would happen if the person has no phone registered or security question  (is that mandatory) ?
  2. Do you remember the phone you registered or security question ? is that strong  enough ?

Think about that.

N-Stalker Research Labs Team.

This entry was posted in Community Blog and tagged , , . Bookmark the permalink.