XSRF vulnerability in GMail service – Round Two
We were getting deeper on possibilities about latest XSRF at GMAIL which allow us to brute force in a kind of stealth mode the user’s password using some hidden tag as img, embeded, iframe, java script and other ways . The advisory showed as a “Proof of Concept” a sequence of password brute forcing using “Oldpassword” as a value. Here we were thinking, how about changing from “current password” to a security question (e.g: “What was your first phone number?”) ? That situation was raised because of two facts below:
- How many phone combination could we have? 100 millions? 1 billion ? 10 billions ?
- How many people when subscribed to gmail would use something like 111-111-1111 or 1111111111 or something stupid as an answer for a security question?
- Maybe something like:
service=mail&hl=en&group1=IdentityAnswer&IdentityAnswer=111111111&Passwd=abc123&PasswdAgain=abc123&p=&save=Save
We start wondering that these variations could turn GMAIL XSRF easier to exploit if you compare to a common attack vector such as brute forcing passwords (OK … some people use stupid passwords =) ).
Another question that would naturally rise would be:
- what would happen if the person has no phone registered or security question (is that mandatory) ?
- Do you remember the phone you registered or security question ? is that strong enough ?
Think about that.
N-Stalker Research Labs Team.