Nov 26 2008
The issue of the blogosphere echo chamber has come up a number of times lately, with both journalists and bloggers claiming that we don’t do enough fact checking before taking a story as the truth. I’m willing to give up the point, but I’m not willing to take it as a dig against the blogosphere, instead I think it’s a fact of human nature, which is why we need to double-check what others say, whether it’s in the newspaper, on TV, written in a blog or just word of mouth. We’re security professionals after all, we shouldn’t trust anyone without verifying.
In last night’s podcast, Rich and I mentioned a Cross Site Request Forgery(XSRF or CSRF) reported against Google by the Geek Condition blog (down as of this writing, presumably due to traffic from Google). Neither Rich nor I were very concerned about the issue, since it was stated to be an issue that had been closed. The important part to us was the fact that it shows a weakness in the common practice of sending password reset information to a ‘trusted’ email account. But as this Proof of Concept pointed out, if you can somehow create a filter on someone’s email account, you can create a filter that forwards select emails and removes them from the users in box. Once that filter is in place, it’s childs play to reset a password account and steal a domain or any other account with a similar reset method.
Right after the podcast I ran across a Google Security post stating that the CSRF bug had been fixed long ago and that the domain theft had nothing to do with the vulnerability. I’m willing to give the Google Security team the benefit of the doubt and believe them, however I’m left with a nagging question as to whether they can really make such a statement with certainty. The referenced CSRF did in fact exist, though it was patched very quickly, and I know from clicking on a PoC for the vulnerability that it works (I won’t be doing that again). I don’t see any reason to think that someone couldn’t have gotten any number of domain owners to fall for a link exploiting the CSRF and then waiting 2-3 months to make use of the compromised Gmail accounts.
The fact is, I don’t see enough evidence for or against the exploitation of this vulnerability to prove either side of the story. No amount of fact checking in the blogosphere is going to prove the point, there’s simply not enough known, it’s almost all speculation. The Google Security team has to deny the report, it’s part of what they do. But they have done a good thing in strongly suggesting everyone force their Gmail account only use SSL when logging in. It’s not a perfect solution, but it is a step up from what most people are currently doing.