Security researcher Vicente Aguilera Diaz from ISecAuditors has released a proof of concept for a Gmail vulnerability dating back to Aug. 1, 2007.
Details of the attack:
GMail is vulnerable to CSRF attacks in the “Change Password” functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request. An attacker can create a page that includes requests to the “Change password” functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker. The attack is facilitated since the “Change Password” request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the “Change Password” form.
This doesn’t sound too good :S In reality though how likely is this to happen to an average user?
So I should hope I never have to change my Google Accounts password?
@fragileheart
From what I can make of it, I think it means that if you are logged into gmail and you visit this site it automatically authenticates you because of your session cookie and then because you have effectively logged in there, it can change your password.
It seems unlikely to succeed unless you are using a very insecure password. Gmail has limited the rate at which you can attempt to reset it, hence the “Selective DoS on users of the GMail service” impact.