Gmail Password Change Vulnerability

Featured 4 Responses »
Mar 032009

http://www.flickr.com/photos/fristle/

Security researcher Vicente Aguilera Diaz from ISecAuditors has released a proof of concept for a Gmail vulnerability dating back to Aug. 1, 2007.

Details of the attack:

GMail is vulnerable to CSRF attacks in the “Change Password” functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request. An attacker can create a page that includes requests to the “Change password” functionality of GMail and modify the passwords of the users who, being authenticated, visit the page of the attacker. The attack is facilitated since the “Change Password” request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the “Change Password” form.

Posted by nukeit at 5:57 pm Tagged with: , , , , ,

Gmail, Gnu Privacy Guard (GPG), and Firefox - Windows and Linux HOWTO

Tutorials 2 Responses »
Nov 282008

This tutorial will show you how to set up GPG for use with Firefox and Gmail on Win32 and Linux systems.

What you need:
Firefox
GPG

GPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kind of public key directories.

Win32: gnupg-w32cli-1.4.9.exe is the latest at this time.
Linux: gpg should be installed by default on most distros, if not, you’ll need to get the tar.gz and do the compile dance:
tar xvzf gnupg-?.?.?.tar.gz
./configure
make
(sudo) make install

FireGPG

FireGPG is able to detect PGP blocks in any page (for example a public key), and lets you easily manage these different blocks.

A movie or some other large file. It seemed to speed up generating my 4096-bit keys considerably.

Once you’ve installed the binary and Firefox plugin, you need to generate a new key.
Win32:
Start > Run > cmd
cd \
cd "Program Files\GNU\GnuPG"
gpg --gen-key

Linux:
Open a terminal and type:
gpg --gen-key

Tips:
Use a random password generator to generate a strong password.
Answer the questions, defaults are ok. When it starts to generate a key, start watching your movie.

Now, open up Firefox and verify that FireGPG has automatically found your new key:
Tools > FireGPG > Key Manager
You should see your new key in the list.

Now you can test it in Gmail by sending yourself a message with “Clear sign and send” option:

FireGPG has a bunch of other features that you’ll become familiar with as you browse the web from day to day. Gmail is really popular, so I figured this would be the best example of its usage. Leave a comment if you have found other unique tips that you want to share.

Posted by nukeit at 4:24 pm Tagged with: , , , , , , , , , , ,
Older Entries Newer Entries
© 2010 nukeitdotorg Suffusion WordPress theme by Sayontan Sinha

Powered by CDN Rewrites