I’m currently in Taiwan attending the OWASP Asia 2007 conference in large part due to generosity and coordination of Armorize Technologies. I plan to post more about the experience, but in the meantime I wanted to break blog silence to point out PDP’s ingenious Gmail CSRF attack technique where the details were partially disclosed. I haven’t verified this attack personally, but I see absolutely nothing preventing this type of attack from working exactly as advertised.
Essentially an evil website forces a logged-in Google user to create a new email filter (CSRF) which forwards out there email to any remote address of the hackers choosing. A current or incoming email arrives and poof is silently forward on its way, which would be extremely hard for anyone to spot. Simple, silent, and extremely clever. I also see why this technique could be easily applied to any other WebMail provider if they had a similar filtering technique in place.
This is especially scary because as I said WebMail accounts are in many ways more valuable than a banking accounts because they maintain access to many other online account (blog, banking, shopping, etc etc.). Check out Brian Kreb’s Washington Post article where he covers a situation where a hacker is extorting a user by locking off access to their WebMail.