<img src="https://mail.google.com/mail/?logout&hl=en" /> will log you out of your google account. But at least other functionality like sending messages seems to be protected?
Including that tag on any page - forum, blog, whatever, will log you out without your consent. For comparison, Facebook has cross-site request forgery protection for logging out
Noble intentions but please don't do this in the future. Working in security (not at google) I promise we are trying to fix it as fast as possible already :)
You may also get cash+prizes if you submit as you did but don't release it publicly.
There's probably a reason it's so unprotected (though probably not a very valid reason).
Writing CSRF-safe logout would mean that you can't have an href to a static link, and you'd to implement some sort of unique id/key and/or a form post behind the scenes.
It's definitely a bug, but I'd be shocked if they didn't know about it (and thus accept it). Its net result is to make Google accounts more secure (if more annoying to use).
Google products are pervasively checked for CSRF, in case you were worried that this was a worrying sign. I'm sure they have CSRFs, but not because they don't hunt them down.
Google does not consider this to be a security vulnerability (or at least not one they feel they can deal with). See http://www.google.com/corporate/rewardprogram.html (Logout cross-site request forgery is the section to look for).
Taking steps to prevent malicious logouts would mean that you're creating cases where a logout will not succeed. This opens the possibility of having a bug that prevents people from logging out at all, even if they want to.
Would you rather have a bug that allows logouts, or a bug that prevents them?
That said, I would love for Facebook to put this snippet in their footer.
>That said, I would love for Facebook to put this snippet in their footer.
Google has an effective way to retaliate. Consider all those non-expert users who type "facebook" in the search bar to get to Facebook and who do not know the difference between the search bar and the location bar.
11 comments
[ 2.8 ms ] story [ 36.5 ms ] threadYou may also get cash+prizes if you submit as you did but don't release it publicly.
Writing CSRF-safe logout would mean that you can't have an href to a static link, and you'd to implement some sort of unique id/key and/or a form post behind the scenes.
Google products are pervasively checked for CSRF, in case you were worried that this was a worrying sign. I'm sure they have CSRFs, but not because they don't hunt them down.
Would you rather have a bug that allows logouts, or a bug that prevents them?
That said, I would love for Facebook to put this snippet in their footer.
Google has an effective way to retaliate. Consider all those non-expert users who type "facebook" in the search bar to get to Facebook and who do not know the difference between the search bar and the location bar.