Comments on: Gmail CSRF Security Flaw http://ajaxian.com/archives/gmail-csrf-security-flaw Cleaning up the web with Ajax Tue, 16 Mar 2010 23:51:05 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Note to Ajaxian Editor http://ajaxian.com/archives/gmail-csrf-security-flaw/comment-page-1#comment-245689 Note to Ajaxian Editor Tue, 02 Jan 2007 19:19:06 +0000 http://ajaxian.com/?p=1972#comment-245689 Dear Ajaxian Editor, Could you please remove the following incorrect information from the article overview above? "JSON: Removing the function call in the GMail example would mean we would have to use XHR rather then just a simple Script Tag. The door is still wide open." The original website from which it was copied was wrong, and its text has been updated to reflect that any HTTP GET that returns raw JSON are 100% fine and is not subject to Cross Site Request Forgery attacks. If your server's HTTP GET does somehting stupid like modify data - then you are not obeying the HTTP spec for GETs to be read-only actions, and its your own fault if something goes wrong. In any event, this Google bug was never a JSON problem. It could have happened with any other data format. Dear Ajaxian Editor,

Could you please remove the following incorrect information from the article overview above?

“JSON: Removing the function call in the GMail example would mean we would have to use XHR rather then just a simple Script Tag. The door is still wide open.”

The original website from which it was copied was wrong, and its text has been updated to reflect that any HTTP GET that returns raw JSON are 100% fine and is not subject to Cross Site Request Forgery attacks. If your server’s HTTP GET does somehting stupid like modify data – then you are not obeying the HTTP spec for GETs to be read-only actions, and its your own fault if something goes wrong. In any event, this Google bug was never a JSON problem. It could have happened with any other data format.

]]> By: Joe Walker http://ajaxian.com/archives/gmail-csrf-security-flaw/comment-page-1#comment-245687 Joe Walker Tue, 02 Jan 2007 18:20:06 +0000 http://ajaxian.com/?p=1972#comment-245687 The XHR comment by the JSON thing is wrong - I was typing before I'd thought about it properly. I stand by the assertion that JSON isn't always a fix however. JSON is a fix if you are doing something read-only. I've updated the blog post. The XHR comment by the JSON thing is wrong – I was typing before I’d thought about it properly. I stand by the assertion that JSON isn’t always a fix however. JSON is a fix if you are doing something read-only. I’ve updated the blog post.

]]> By: Zorba http://ajaxian.com/archives/gmail-csrf-security-flaw/comment-page-1#comment-245679 Zorba Tue, 02 Jan 2007 05:23:57 +0000 http://ajaxian.com/?p=1972#comment-245679 Martin, the XHR bit was in reference to the incorrect blog post in the ajaxian article above that claimed that Google would still be at risk even if they dropped the google() function call and just sent JSON instead. This is simply not the case due to the same origin policy. Martin, the XHR bit was in reference to the incorrect blog post in the ajaxian article above that claimed that Google would still be at risk even if they dropped the google() function call and just sent JSON instead. This is simply not the case due to the same origin policy.

]]> By: Julien Couvreur http://ajaxian.com/archives/gmail-csrf-security-flaw/comment-page-1#comment-245678 Julien Couvreur Tue, 02 Jan 2007 02:51:42 +0000 http://ajaxian.com/?p=1972#comment-245678 The example urls now return an error JSON response. Has anyone figured out what the security check is, that was added? The example urls now return an error JSON response. Has anyone figured out what the security check is, that was added?

]]> By: Martin http://ajaxian.com/archives/gmail-csrf-security-flaw/comment-page-1#comment-245677 Martin Tue, 02 Jan 2007 02:15:43 +0000 http://ajaxian.com/?p=1972#comment-245677 I don't get the bit about using XHR. The same origin policy prevents the XHR connection to GMail from some random host, no? I don’t get the bit about using XHR. The same origin policy prevents the XHR connection to GMail from some random host, no?

]]> By: Joe Walker http://ajaxian.com/archives/gmail-csrf-security-flaw/comment-page-1#comment-245676 Joe Walker Tue, 02 Jan 2007 01:50:07 +0000 http://ajaxian.com/?p=1972#comment-245676 Google have now fixed the problem properly - hence the Success:false Google have now fixed the problem properly – hence the Success:false

]]> By: only IE http://ajaxian.com/archives/gmail-csrf-security-flaw/comment-page-1#comment-245675 only IE Tue, 02 Jan 2007 01:32:20 +0000 http://ajaxian.com/?p=1972#comment-245675 To be more precise, if Google only returned JSON instead of that stupid function syntax "google({...}) " then only IE could be exploited. IE is the only browser that allows XHR to call other domains. Mozilla/Firefox will not allow it. To be more precise, if Google only returned JSON instead of that stupid function syntax “google({…}) ” then only IE could be exploited. IE is the only browser that allows XHR to call other domains. Mozilla/Firefox will not allow it.

]]> By: only IE http://ajaxian.com/archives/gmail-csrf-security-flaw/comment-page-1#comment-245674 only IE Tue, 02 Jan 2007 01:16:44 +0000 http://ajaxian.com/?p=1972#comment-245674 This exploit will only work on Internet Explorer. Mozilla/Firefox will prevent an XmlHttpRequest to another domain. Try it for yourself and see. This exploit will only work on Internet Explorer.
Mozilla/Firefox will prevent an XmlHttpRequest to another domain. Try it for yourself and see.

]]> By: Hans Duedal http://ajaxian.com/archives/gmail-csrf-security-flaw/comment-page-1#comment-245673 Hans Duedal Tue, 02 Jan 2007 00:23:46 +0000 http://ajaxian.com/?p=1972#comment-245673 Does this actually work? All I get is this: <code> google ({ Success: false, Errors: [] }) </code> Does this actually work? All I get is this:

google ({
Success: false,
Errors: []
})

]]>