We were getting deeper on possibilities about latest XSRF at GMAIL which allow us to brute force in a kind of stealth mode the user’s password using some hidden tag as img, embeded, iframe, java script and other ways . The advisory showed as a “Proof of Concept” a sequence of password brute forcing using “Oldpassword” as a value. Here we were thinking, how about changing from “current password” to a security question (e.g: “What was your first phone number?”) ? That situation was raised because of two facts below:

1. How many phone combination could we have? 100 millions? 1 billion ? 10 billions ?
2. How many people when subscribed to gmail would use something like 111-111-1111 or 1111111111  or something stupid as an answer for a security question?
3. Maybe something like:

service=mail&hl=en&group1=IdentityAnswer&IdentityAnswer=111111111&Passwd=abc123&PasswdAgain=abc123&p=&save=Save

We start wondering that these variations could turn GMAIL XSRF easier to exploit if you compare to a common attack vector such as brute forcing passwords (OK … some people use stupid passwords =) ).

Another question that would naturally rise would be:

1. what would happen if the person has no phone registered or security question  (is that mandatory) ?
2. Do you remember the phone you registered or security question ? is that strong  enough ?

Think about that.

N-Stalker Research Labs Team.