gHacks technology news » google security http://www.ghacks.net A technology blog covering software, mobile phones, gadgets, security, the Internet and other relevant areas. Sat, 07 Nov 2009 03:28:27 +0000 http://wordpress.org/?v=2.8.5 en hourly 1 Google Implements Cross-site Request Forgery Protection http://www.ghacks.net/2009/10/04/google-implements-cross-site-request-forgery-protection/ http://www.ghacks.net/2009/10/04/google-implements-cross-site-request-forgery-protection/#comments Sun, 04 Oct 2009 10:50:33 +0000 Martin http://www.ghacks.net/?p=16925 Cross-site Request Forgery are carried out from a computer system or user that is trusted by a website. Cookies that do not expire after a user closes the website or web browser are one of the most common forms of trust that can be exploited by cross-site request forgery attacks. The attacker needs to use the user’s web browser to send HTTP requests to the target website which is usually accomplished by posting these links in emails, forums, chats and other means of communication.


At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. A user who is authenticated by a cookie saved in the user’s web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action. (source Wikipedia)

Google has (finally) started to implement cross-site request forgery protections to protect Google users and their online services according to an article posted at the Register.

Sometime in the last three days, Google’s login pages began setting a cookie with a unique token on each user’s browser, according to Mike Bailey, a senior researcher for Foreground Security. That same value is also embedded into the login form. If the two don’t match, the user will be unable to log in.

Security experts have criticized Google in the past for not implementing a cross-site request forgery protection. Google engineers were quick to close security vulnerabilities that were caused by this attack type but did not implement a generic protection against these types of attacks.

Tags: , , , , ,

Related posts

]]> http://www.ghacks.net/2009/10/04/google-implements-cross-site-request-forgery-protection/feed/ 0 Google Chrome Security Vulnerability http://www.ghacks.net/2008/09/03/google-chrome-security-vulnerability/ http://www.ghacks.net/2008/09/03/google-chrome-security-vulnerability/#comments Wed, 03 Sep 2008 21:41:19 +0000 Martin http://www.ghacks.net/?p=6748 Now this did not take long. Only one day after releasing a first public beta version of Google Chrome researchers at Kaspersky discovered (Thanks Neil for sending the tip) a security vulnerability that combines a security flaw in Webkit, the browser engine used by Google Chrome, with a Java bug. Apple fixed the vulnerability in Safari back in July after two months of doing nothing about it and it will be interesting to see how fast Google will react to the security vulnerability.

The reason why this vulnerability is still working in Google Chrome is because Google has been using an older version of Webkit for their browser’s core. First of all, users without Java on their computers are completely safe. Users with Java and Chrome installed should read on.

The problem is serious but requires the user’s action to be triggered. If the user clicks on a specifically prepared download the file downloads and executes itself automatically without further user input.

Security expert Aviv Raff has setup a demo website that demonstrates the vulnerability in Google Chrome. The demonstration page provides a download button which will download and execute a Java file immediately without further user interaction. This demo only opens a notepad application but serious harm could be done with such an exploit.

Tags: , , , , ,

Related posts

]]> http://www.ghacks.net/2008/09/03/google-chrome-security-vulnerability/feed/ 21