GMail CSRF/XSRF(Cross Site Request Forgery) flaw fixed.

by Hari K. Gottipati

First, Happy 2007 to all.

For GMail team, 2007 started with an exploit and they fixed it immediately. Googlified first discovered this serious exploit in GMail which lets your contact list to be stolen.
Using a form of cross scripting, it becomes easy to steal a GMail user's contact list if they visit a certain type of website. The only condition is you have to be logged in to GMail at the time of the attack. GMail is setup to store your contact list in javascript files, which is the core problem. If you log into your GMail account and visiting a malicious website can steal your contact list, and all their details.


You can find the explanation of the flaw here.
Basically, Google docs has a script that run a callback function, passing it your contact list as an object. The script presumably checks a cookie to ensure you are logged into a Google account before handing over the list.

Unfortunately, it doesn't check what page is making the request. So, if you are logged in on window 1, window 2 (an evil site) can make the function call and get the contact list as an object. Since you are logged in somewhere, your cookie is valid and the request goes through.

Also, if you check the object that is returned, you see fields for the contact's name, email and "affinity". Presumably, a higher affinity means a more-emailed contact, so it may be possible to know the relative importance of your contacts.

Apparently, this is a CSRF/XSRF(Cross Site Request Forgery) atatck.
CSRF is a relatively unknown type of attack on a website, because it can be tricky to pull off. But this obscurity means that far more sites are vulnerable. In addition CSRF has all the potential of XSS so it is a powerful foe.

Joe Walker@DWR has written a detailed explanation on CSRF attacks and how to protect your applications from such attacks.