I always wonder what I’ll wake up to on a Monday morning.
Today it was a nice new cross-site scripting (XSS) vulnerability over in Google. The details are over at bedford. org (link broken since it’s a little risky), and the focus is on Google Mail.
Bedford has three proofs of concept up. The first exploits Blogspot polls, the second Gmail contacts, and the third forwards all your incoming mail to Bedford.
I tested them out, and while the contacts one didn’t work for me in a quick test, the forward definitely worked. This means anyone can send you an email or embed code in their web page that will then forward all your Google mail to an address of their choosing.
This isn’t a particularly stealthy exploit- if you go into your Gmail settings you can check if your account is forwarding. Just click on settings, Forwarding and POP, and make sure Disable forwarding is checked (as in this screenshot).
The proof of concept was posted on September 24th, so it’s not like this is the first day it’s public Umm… I should have coffee and check the calendar before I blog; that’s today . And while my little advice will help with the forwarding problem, the base code looks like it can do pretty much anything it wants with your Google Mail account, so there’s all sorts of other possible nastiness.
Some people are recommending FireFox with NoScript. Personally, I suggest you just log out of Gmail with your web browser and set up your mail client to access Gmail directly (no browser access).
All of these are crappy workarounds until Google plugs the hole.
Update: I shouldn’t blog before my first cup of coffee. If you’re going to enable POP access, you need to first log in from a “clean” browser, change your password, then set up encrypted POP access. Google’s instructions for this are pretty easy, and seriously, don’t skip that changing your password step.
(Thanks to Maynor/Errata for the heads up).
Reader interactions
4 Replies to “Go Check Your Gmail Settings… XSS Vulnerability”
well i think that xss vulnerability is very much dense in todays world i have also heard about acunetix but dont know whether it works or not
xss Vulnerability is raising really fast i dont know how to protect my websites from this. Is there any tool which can tell us the way out. I have heard about Acunetix can it help
Interesting, I didn’‘t realize you could even do that.
of course logging out of gmail only helps if gmail is the only google app you use… how many people use google calendar, or google reader, or google groups, etc… the nature of single sign-on is that if you’‘re logged into one of them you’‘re logged into all of them…
that’s why i use a non-gmail google account for the other google apps…