Simon Willison’s Weblog

Subscribe

Posts tagged google, csrf

Filters: google × csrf × Sorted by date

Logout/Login CSRF. Alf Eaton built an example page (this link goes to his description, not the page itself) that uses a login CSRF attack to log you in to Google using an account he has created. Scary.

# 24th September 2008, 10:18 pm / alf-eaton, csrf, google, logincsrf, security

ratproxy. “A semi-automated, largely passive web application security audit tool”—watches you browse and highlights potential XSS, CSRF and other vulnerabilities in your application. Created by Michal Zalewski at Google.

# 3rd July 2008, 2:35 pm / csrf, google, michal-zalewski, proxy, ratproxy, security, testing, xss

David Airey: Google’s Gmail security failure leaves my business sabotaged (via) Gmail had a CSRF hole a while ago that allowed attackers to add forwarding filter rules to your account. David Airey’s domain name was hijacked by an extortionist who forwarded the transfer confirmation e-mail on to themselves.

# 26th December 2007, 12:16 pm / csrf, david-airey, gmail, google, security

Google GMail E-mail Hijack Technique. Apparently Gmail has a CSRF vulnerability that lets malicious sites add new filters to your filter list—meaning an attacker could add a rule that forwards all messages to them without your knowledge.

# 27th September 2007, 10:29 am / csrf, gmail, google, security, vulnerability

Fighting RFCs with RFCs

Google’s recently released Web Accelerator apparently has some scary side-effects. It’s been spotted pre-loading links in password-protected applications, which can amount to clicking on every “delete this” link — bypassing even the JavaScript prompt you carefully added to give people the chance to think twice.

[... 353 words]

8:39 pm / 6th May 2005 / csrf, google, http, rfc, security, standards

Types

Years

Tags