Logout/Login CSRF. Alf Eaton built an example page (this link goes to his description, not the page itself) that uses a login CSRF attack to log you in to Google using an account he has created. Scary.
Logout/Login CSRF. Alf Eaton built an example page (this link goes to his description, not the page itself) that uses a login CSRF attack to log you in to Google using an account he has created. Scary.
Have you seen about this one:
http://jeremiahgrossman.blogspot.com/2008/09/i-use d-to-know-what-you-watched-on.html
Still, doesn't this give a savvy victim total access to the attacking Google account? One could easily change the password and lock the attacker out of his own account...
Don't get me wrong, it's a good proof-of-concept, but I doubt we'll be seeing this variety in the wild much.
Joey,
The attacker makes a throw away account. The account merely exists as a data collection vector for the victims to run under to.
If a particular attacker account is lost, so what. I still have 9,999 credit cards from the other accounts.
Jeremy Dunck - 25th September 2008 23:44 - #