Tuesday, July 28, 2009

Google Mail (Gmail) | Fail to do Security Check Vulnerability

=============================================================
Google Mail (Gmail) Fail to do Security Check Vulnerability
=============================================================

Discovered by
Aung Khant, YGN Ethical Hacker Group, Myanmar
http://yehg.net/ ~ believe in full disclosure

Advisory URL:
http://yehg.net/lab/pr0js/advisories/gmail_fails_to_referer_check
Date published: 2009-07-27
Severity: High

Vulnerability Type: Lack of security check
Vulnerability Consequence: Spoofing/Phishing Attack Success

Vendor: Google Inc
URL: http://google.com

Vulnerable URL:
https://www.google.com/accounts/ServiceLoginAuth?service=mail


Description
===========

Google mail service for custom domains checks the HTTP referer field
for authenticating, i.e when a user have submitted username and password.
If the HTTP refer field doesn't contain https://mail.google.com/a/yourname.com,
then it warns the user the error message that asks him to login from his primary domain url.

However, this security check has not been implemented in GMail service itself since
its launch.

Due to lack of checking HTTP Referer field, phishers have always been able to steal
google mail login credentials through fake gmail login page and also
browser-based URL spoofing techniques. This exploit has been in the wild for ages.

Checking HTTP Referer field is a very basic security implementation. One-time
token or cloud token protection will be a better choice.

########################################################################################################

A Word
=======
We're no longer willing to contact Google Security Team, who are always over proud of themselves
and who pay attention only to seemly serious vulnerabilities.

If you prepare for better security, you need not only to protect your infrastructure but also
your visitors, some of who turns out to be your valuable business clients/partners.

########################################################################################################

Yet another low-level flaw we have made as a movie:
http://yehg.net/lab/pr0js/files.php/Exploiting-Gmail-Weak-Password-Reset.zip