Google silently corrects Gmail CSRF hole
By
Scott Spanbauer
The good news is that Google has eliminated a security hole that could allow a hacker to get into your Gmail account, as I reported in an
April 23
story.
The bad news is that Google chose to remain so tight-lipped about the change that even its own engineers and many security researchers were unaware of the fix, something that doesn't inspire confidence.
As recently as April 24, Google support staff were confirming that its e-mail service had a security hole known as cross-site request forgery (XSRF or CSRF, pronounced "sea-surf"). In an e-mail to a Google Apps user, Google Apps Team member "Heine" wrote:
-
"I've looked into this for you and found that our engineers are aware of the issue and are working to have a patch available at the earliest.
"I have been assured that the likelihood of this issue actually occurring is very limited, but at the same time I do want to stress that we take the matter seriously."
-
"We want users to know that on March 12, we fixed the vulnerability
that was brought to our attention. We never received any reports of
the vulnerability being exploited, and do not consider this case to
have been a significant issue. A successful exploit would have
required correctly guessing a user's password within the period that
the user was visiting a potential attacker's site. Nevertheless, we
implemented additional measures that effectively prevent the attack.
We always encourage users to choose strong passwords, and we have an
indicator to help them do this when creating passwords."
-
"We added an XSRF token to the password-change page. The attacking site will not
have this token and hence cannot masquerade as a user trying to change their password."
At my request, ISA researcher Vicente Aguilera Díaz examined the site again on April 30 and found that Google had indeed eliminated the security flaw in Gmail's password-change page:
-
"I see that they've added a security token that prevents the vulnerability from being exploited (since it requires that the token be known and, apparently, is cryptographically secure) ...
"I can confirm for you that Google did not communicate with me at any time (neither with me, nor with any of my co-workers) that they had corrected the vulnerability. It's strange, since I reported the problem to them and tracked it, but it appears that they've corrected it 'silently.' "
Google's reasoning in keeping mum about the security flaw's existence and subsequent fix is that a successful Gmail account takeover using the exploit was unlikely. However, it was certainly possible, as demonstrated by a proof of concept that Aguilera published. ISA says the information was publicly disclosed only after Google declined to correct the hole following more than one year's notice.
Software developers inspire more confidence in their products when they work cooperatively and openly with the community of security researchers. Here's hoping that Google won't hesitate to communicate in a timely fashion when future flaws inevitably crop up.
|
Reader Ron Hancock will receive a gift certificate for
a book, CD, or DVD of his choice for his help with the research for this article. Send us your
tips via the Windows Secrets
contact page. |
Scott Spanbauer writes frequently for PC World, Business 2.0, CIO, Forbes ASAP, and Fortune Small Business. He has contributed to several books and was technical reviewer of Jim Aspinwall's PC Hacks.
Digg
Del.icio.us
Reddit
StumbleUpon
Other
Permalink