Tuesday, March 3, 2009

Check your GMail passwords

A new GMail CSRF vulnerability was announced today which allows attackers to determine and/or change a user's password.

Of course, this requires that you're logged in to GMail and that you visit a particular page which is hosting the CSRF vulnerability. This is often accomplished by sending you a link in an email, so that once you click the link, you're guaranteed to be logged in.

I think the main threats right now are that if you have an easy password, an attacker can determine what your password is pretty easily by running a few CSRF attacks against you. There is also the possibilty of someone changing your password, but that requires that they already know your password or can get you to type it in for them on the malicious web page.

Bottom line, make sure you have a secure password, and as always, be wary of emails from strangers (especially HTML emails).

No comments:

Post a Comment