Google Implements Cross-site Request Forgery Protection

Martin Brinkmann
Oct 4, 2009
Updated • Mar 17, 2015

Cross-site Request Forgery attacks are carried out from a computer system or user that is trusted by a website.

Cookies that do not expire after a user closes the website or web browser are one of the most common forms of trust that can be exploited by cross-site request forgery attacks.

The attacker needs to use the user's web browser to send HTTP requests to the target website which is usually accomplished by posting these links in emails, forums, chats and other means of communication.

At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. A user who is authenticated by a cookie saved in the user's web browser could unknowingly send an HTTP request to a site that trusts the user and thereby causes an unwanted action. (source Wikipedia)

Google has (finally) started to implement cross-site request forgery protections to protect Google users and their online services according to an article posted by the Register.

Sometime in the last three days, Google's login pages began setting a cookie with a unique token on each user's browser, according to Mike Bailey, a senior researcher for Foreground Security. That same value is also embedded into the login form. If the two don't match, the user will be unable to log in.

This means basically that Google compares the cookie set on the user system to information embedded on the company's login forms to block access to an account if the two don't match.

Security experts have criticized Google in the past for not implementing a cross-site request forgery protection. Google engineers were quick to close security vulnerabilities that were caused by this attack type but did not implement a generic protection against these types of attacks.


Tutorials & Tips

Previous Post: «
Next Post: «


There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.