On Dec 11, 2007 3:01 PM, Aaron Katz <[EMAIL PROTECTED]> wrote: > My strong suspicion is that the original poster simply created a > JavaScript script in somewhere.google.com, and this JavaScript deleted > the cookie. This would work if the session cookie is restricted to > google.com, which would let any web server in, or content served from > the google.com domain (or any subdomain). > > My note about using NoScript to restrict JavaScript execution to > mail.google.com reinforces this suspicion. > > If my suspicion is correct, then google did two things. First, google > appears to allow individuals to create personal domain names in > google.com, and to place arbitrary content in those domains. This > first thing probalby allowed the original poster to place the > JavaScript in a location where it could access the google.com cookie. > Second, google apparantly did not restrict the gmail cookie to > mail.google.com. This second thing allowed the JavaScript from the > personal system at somewhere.google.com to access the cookie. > > > Of course, I only did a cursory glance at the source of the webpage, > so I may be wrong :) But, we can be reasonably sure it's not > exploiting a problem in the browser, since the issue appears to be > cross browser.
Well, let me just say that NoScript will not save you here in my example. Try this to see how to really mess with your brain... * Open Firefox 2.x (delete all cookies/cached objects if you like, etc) * Check an email in Google * Visit my PoC code page in a new tab * Click on the Google tab and try to read an email * Something went wrong... * Log back into Google * Browse around your email, or not, doesn't matter * Merely click on the tab for my PoC webpage * Something goes wrong again... Just clicking a tab in Firefox can mess with your Google account? Details will be released this Friday and will also include an exploit for Yahoo as well. Fair warning... -- Kristian Erik Hermansen "I have no special talent. I am only passionately curious." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
