Gmail XSRF?

12 points by jnhnum1 ↗ HN
<img src="https://mail.google.com/mail/?logout&hl=en" /> will log you out of your google account. But at least other functionality like sending messages seems to be protected?

11 comments

[ 2.8 ms ] story [ 36.5 ms ] thread
Sorry, but I call that a feature, not a vulnerability.
Including that tag on any page - forum, blog, whatever, will log you out without your consent. For comparison, Facebook has cross-site request forgery protection for logging out
I emailed security@google.com, but I figured that posting it here would make it more likely for them to fix it faster.
Noble intentions but please don't do this in the future. Working in security (not at google) I promise we are trying to fix it as fast as possible already :)

You may also get cash+prizes if you submit as you did but don't release it publicly.

Yeah, because you don't understand responsible disclosure. Contact security teams first before going public with a problem.
There's probably a reason it's so unprotected (though probably not a very valid reason).

Writing CSRF-safe logout would mean that you can't have an href to a static link, and you'd to implement some sort of unique id/key and/or a form post behind the scenes.

It's definitely a bug, but I'd be shocked if they didn't know about it (and thus accept it). Its net result is to make Google accounts more secure (if more annoying to use).

Google products are pervasively checked for CSRF, in case you were worried that this was a worrying sign. I'm sure they have CSRFs, but not because they don't hunt them down.

Taking steps to prevent malicious logouts would mean that you're creating cases where a logout will not succeed. This opens the possibility of having a bug that prevents people from logging out at all, even if they want to.

Would you rather have a bug that allows logouts, or a bug that prevents them?

That said, I would love for Facebook to put this snippet in their footer.

>That said, I would love for Facebook to put this snippet in their footer.

Google has an effective way to retaliate. Consider all those non-expert users who type "facebook" in the search bar to get to Facebook and who do not know the difference between the search bar and the location bar.