Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

Submission + - GMail POST Mortem: Can You Handle CSRF? (hackademix.net)

Giorgio Maone writes: "This week couldn't be worse for Google and GMail: four distinct vulnerabilities disclosed in the past few days, plus a Google Docs weakness by Rios/McFeters allowing for easy Flash-based XSS, and now another GMail hijacking technique half-disclosed (!) by Petko H. Petkov (AKA pdp).

GMail POST Mortem analyzes the details published by Petko under his ambiguous "semi-disclosure" policy, and it shows how this is in facts a 0 day full disclosure, since building a working exploit from it is pretty trivial. Finally, countermeasures against the CSRF (the class of vulnerabilities which this one belongs to) are provided, both for developers and for users.

BTW, the GMail hole is still unpatched (tested 1 minute ago)."

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

GMail POST Mortem: Can You Handle CSRF?

Comments Filter:

"The chain which can be yanked is not the eternal chain." -- G. Fitch

Working...