Comments on: GMail POST Mortem, CSRF Countermeasures and NoScript Misconceptions http://hackademix.net/2007/09/26/gmail_csrf/ Giorgio Maone's answers to the Web, the Universe, and Everything Tue, 02 Dec 2008 12:45:00 +0000 http://wordpress.org/?v=2.2.3 By: hackademix.net » Petko Was Playing With Fire... http://hackademix.net/2007/09/26/gmail_csrf/#comment-8989 hackademix.net » Petko Was Playing With Fire... Wed, 13 Aug 2008 23:13:30 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-8989 [...] if Petko is right, a certain comment of his about NoScript, posted under an article about GMail attacks (!) almost one year ago, sounds totally ironic now [...] […] if Petko is right, a certain comment of his about NoScript, posted under an article about GMail attacks (!) almost one year ago, sounds totally ironic now […]

]]> By: Ninjas http://hackademix.net/2007/09/26/gmail_csrf/#comment-1677 Ninjas Wed, 21 Nov 2007 21:49:33 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-1677 Nice link power! http://http//hackademix.net/2007/09/24/googhole-xss-pwning-gmail-picasa-and-almost-200k-customers/ WOO! Nice link power!

http://http//hackademix.net/2007/09/24/googhole-xss-pwning-gmail-picasa-and-almost-200k-customers/

WOO!

]]> By: Alessandro http://hackademix.net/2007/09/26/gmail_csrf/#comment-550 Alessandro Sat, 29 Sep 2007 14:22:55 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-550 Hi Giorgio! I follow you and your posts from many time. I appreciate your Firefox extension, NoScript, and I suggest its use to all my friends. I work in information security and I can affirm that your extension works fine..It has been tested to arginate several web attack attempt and passes in honest way. Great. Hi Giorgio!
I follow you and your posts from many time. I appreciate your Firefox extension, NoScript, and I suggest its use to all my friends.

I work in information security and I can affirm that your extension works fine..It has been tested to arginate several web attack attempt and passes in honest way.

Great.

]]> By: Giorgio http://hackademix.net/2007/09/26/gmail_csrf/#comment-531 Giorgio Fri, 28 Sep 2007 13:31:02 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-531 @<b>sirdarckcat</b>: Yours is subtle yet scary. If we count all them I'm afraid there are a few more than 5, but I'll better wait the week end to do an ultimate recap ;) @sirdarckcat:
Yours is subtle yet scary.
If we count all them I’m afraid there are a few more than 5, but I’ll better wait the week end to do an ultimate recap ;)

]]> By: sirdarckcat http://hackademix.net/2007/09/26/gmail_csrf/#comment-530 sirdarckcat Fri, 28 Sep 2007 12:54:14 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-530 Cool :P now there are 5 Google vulns hehe http://sirdarckcat.blogspot.com/2007/09/google-mashups-vulnerability.html let's say this is a historic event.. I submited a similar comment to xs-sniper, but it showed a Forbidden error.. :S Greetz!! Cool :P
now there are 5 Google vulns hehe
http://sirdarckcat.blogspot.com/2007/09/google-mashups-vulnerability.html

let’s say this is a historic event.. I submited a similar comment to xs-sniper, but it showed a Forbidden error.. :S

Greetz!!

]]> By: Google Gmail: “E-mail Hijack” via CSRF « Simply Security http://hackademix.net/2007/09/26/gmail_csrf/#comment-526 Google Gmail: “E-mail Hijack” via CSRF « Simply Security Fri, 28 Sep 2007 08:01:25 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-526 [...] XSS, od anche contro le recenti popolari vulnerabilità dei gestori URI. Consigliamo a tutti di leggere interamente l’intervento di Maone che offre numerosi dettagli sulle potenzialità di [...] […] XSS, od anche contro le recenti popolari vulnerabilità dei gestori URI. Consigliamo a tutti di leggere interamente l’intervento di Maone che offre numerosi dettagli sulle potenzialità di […]

]]> By: pdp http://hackademix.net/2007/09/26/gmail_csrf/#comment-498 pdp Thu, 27 Sep 2007 03:05:24 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-498 don't get me wrong, Giorgio work is highly appreciated, all I am saying is that users don't have to be experts in order to know what sites should be able to use scripts. How do u trust a site? If it looks good? In order to trust the application that you are about to grant some permissions you have to really know what you are doing. In that case, how does this helps the normal user? They have to check the source code? It does help if you are visiting some doggy cracking sites and you expect to be hit any moment so u need to put your shields up, but for normal surfing... I don't know man. The web is changing drastically if you haven't noticed. Websites are almost like desktop applications. Do you have an warning from your Ant-vir every time you try to run an app? No! They try to mitigate the problem before warning you, if there is one. And what about mashups? I mean, mashups are just combination of a bunch of services. So in order to run the stupid Google Maps you have to approve all websites the mashup is feeding from or interacting with? This is only for experienced surfers and web dev guys. Anyway, again, great work Giorgio. It is always good to get a different opinion. It helps you see the bigger picture sometimes. As a security expert, I am supposed to preach about Application Firewalls, NoScript, IDSs, etc, but I don't. It is not just black and white. It is all about risk management. You cannot say to someone install this and your problem will be solved. It doesn't work this way. Keep it up. don’t get me wrong, Giorgio work is highly appreciated, all I am saying is that users don’t have to be experts in order to know what sites should be able to use scripts. How do u trust a site? If it looks good? In order to trust the application that you are about to grant some permissions you have to really know what you are doing. In that case, how does this helps the normal user? They have to check the source code? It does help if you are visiting some doggy cracking sites and you expect to be hit any moment so u need to put your shields up, but for normal surfing… I don’t know man. The web is changing drastically if you haven’t noticed. Websites are almost like desktop applications. Do you have an warning from your Ant-vir every time you try to run an app? No! They try to mitigate the problem before warning you, if there is one.

And what about mashups? I mean, mashups are just combination of a bunch of services. So in order to run the stupid Google Maps you have to approve all websites the mashup is feeding from or interacting with? This is only for experienced surfers and web dev guys. Anyway, again, great work Giorgio. It is always good to get a different opinion. It helps you see the bigger picture sometimes.

As a security expert, I am supposed to preach about Application Firewalls, NoScript, IDSs, etc, but I don’t. It is not just black and white. It is all about risk management. You cannot say to someone install this and your problem will be solved. It doesn’t work this way.

Keep it up.

]]> By: nap http://hackademix.net/2007/09/26/gmail_csrf/#comment-489 nap Wed, 26 Sep 2007 16:55:54 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-489 NoScript is certainly not like firebug (i use both). I've been using it for months for "technologically savvy" uses, but soon I realized that anybody can benefit of using it - with scripts globally allowed- to increase security while maintaining usability. It is certainly an add-on everybody can benefit from. NoScript is certainly not like firebug (i use both). I’ve been using it for months for “technologically savvy” uses, but soon I realized that anybody can benefit of using it - with scripts globally allowed- to increase security while maintaining usability. It is certainly an add-on everybody can benefit from.

]]> By: Jordan http://hackademix.net/2007/09/26/gmail_csrf/#comment-487 Jordan Wed, 26 Sep 2007 16:39:50 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-487 I installed NoScript on my wife's computer. She's by no means a geek, and she makes do with it. Also, no, it doesn't really break much of anything since I've used NoScript with that option for quite some time without problems. I know Giorgio sounds like he's doing PR for a company for as many times as he writes about NoScript, but he deserves to. He really puts so much work into maintaining it and adding great features, and it's easily my number one firefox extension. Now's as good of a time as any to say thanks, I suppose! I installed NoScript on my wife’s computer. She’s by no means a geek, and she makes do with it.

Also, no, it doesn’t really break much of anything since I’ve used NoScript with that option for quite some time without problems.

I know Giorgio sounds like he’s doing PR for a company for as many times as he writes about NoScript, but he deserves to. He really puts so much work into maintaining it and adding great features, and it’s easily my number one firefox extension.

Now’s as good of a time as any to say thanks, I suppose!

]]> By: pdp http://hackademix.net/2007/09/26/gmail_csrf/#comment-483 pdp Wed, 26 Sep 2007 12:28:39 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-483 "No, she doesn’t, but she’s got NoScript — and her mom too…" :) heh.. nice one... “No, she doesn’t, but she’s got NoScript — and her mom too…”

:) heh.. nice one…

]]>