Wednesday, November 26, 2008

Follow-Up: Phishing To Blame For GMail Exploits Not CSRF

Following up on our recent post, New GMail Exploit Or Old Cross-Site Scripting Vulnerability, Google has determined that the reported hijacking was a case of good old fashioned phishing and there is "no evidence of a GMail vulnerability".

Google responded today to the claims that the hijacked websites were due to an old CSRF vulnerability. Chris Evans writes, "With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information...Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers."

Google says the domain theft linked to David Airey' site back in 2007 has been "incorrectly linked to a GMail CSRF vulnerability." There is no mention of the recent hijackings detailed in our previous post, but as mentioned in that post there was never any solid evidence that it was a CSRF exploit. In fact my original assement of the MakeUsOf hijacking was that the were victums of phishing.

One thing still nags at me about this though, if someone had phished these accounts then there would be no reason to setup filters. If you have full access to someones page (ie. log-in and password) then you wouldn't need to forward the emails out. You could change the password, locking out the user, and then have the emails sent directly to that account that you'd now control.

The only benefit from setting up the forwarding filters would be long term acess to the account. An attacker could essentially collect information undetected for weeks even months, or more. If the attackers took control and locked the user out they might be detected within a few mins. or hrs.

To keep your Google account secure online, Google recommends you only ever enter your Gmail sign-in credentials to web addresses starting with, and never click-through any warnings your browser may raise about certificates. For more information on how to stay safe from phishing attacks, see Google's blog post here.


I contacted Aibek at today and he has stated he has not been contacted by Google in relation to this matter and that "I also talked to both Florin [] and Edin [] and only one of them was contacted by Google."

I've put an inquiry in to Chris Evans at the Google Online Security Blog and we are currently waiting follow-up. So check back for further details.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you