Comments on: GMail POST Mortem, CSRF Countermeasures and NoScript Misconceptions http://hackademix.net/2007/09/26/gmail_csrf/ Giorgio Maone's answers to the Web, the Universe, and Everything Sat, 31 Jul 2010 04:29:33 +0000 http://wordpress.org/?v=2.2.3 By: Club Penguin Cheats http://hackademix.net/2007/09/26/gmail_csrf/#comment-19488 Club Penguin Cheats Sun, 17 Jan 2010 02:25:49 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-19488 Don’t get me wrong. NoScript is one of the best things that have happened to Firefox and my and the rest of the community truly appreciate the work that has bee done. But also, I have to say that normal users will hate it in their guts mainly because it makes their MySpace page not working. We know that we cannot make regular users security experts just so they don’t get hacked. They have other problems to worry about. The only proven way of protecting them is to write secure software. But again, that will never happen. Don’t get me wrong. NoScript is one of the best things that have happened to Firefox and my and the rest of the community truly appreciate the work that has bee done. But also, I have to say that normal users will hate it in their guts mainly because it makes their MySpace page not working. We know that we cannot make regular users security experts just so they don’t get hacked. They have other problems to worry about. The only proven way of protecting them is to write secure software. But again, that will never happen.

]]> By: hackademix.net » Browser Plugins, Add-Ons and Security Advisers http://hackademix.net/2007/09/26/gmail_csrf/#comment-10828 hackademix.net » Browser Plugins, Add-Ons and Security Advisers Sun, 08 Feb 2009 01:06:38 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-10828 [...] I choose qmail for my example because of its almost immaculate security records: should you pick a single product to illustrate mail server security risks, you’d bash Sendmail with its several documented vulnerabilities, rather than DJB’s impervious creature. However the article inexplicably morphed “qmail” into GMail, making my point quite obscure (given that GMail is not even a proper mail server, nor exactly a security champion). [...] […] I choose qmail for my example because of its almost immaculate security records: should you pick a single product to illustrate mail server security risks, you’d bash Sendmail with its several documented vulnerabilities, rather than DJB’s impervious creature. However the article inexplicably morphed “qmail” into GMail, making my point quite obscure (given that GMail is not even a proper mail server, nor exactly a security champion). […]

]]> By: Google Gmail E-mail Hijack | keyongtech http://hackademix.net/2007/09/26/gmail_csrf/#comment-10536 Google Gmail E-mail Hijack | keyongtech Thu, 22 Jan 2009 00:56:28 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-10536 [...] Use Firefox with No-Script: GMail POST Mortem, CSRF Countermeasures and NoScript Misconceptions: http://hackademix.net/2007/09/26/gmail_csrf/ [...] […] Use Firefox with No-Script: GMail POST Mortem, CSRF Countermeasures and NoScript Misconceptions: http://hackademix.net/2007/09/26/gmail_csrf/ […]

]]> By: hackademix.net » Petko Was Playing With Fire... http://hackademix.net/2007/09/26/gmail_csrf/#comment-8989 hackademix.net » Petko Was Playing With Fire... Wed, 13 Aug 2008 23:13:30 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-8989 [...] if Petko is right, a certain comment of his about NoScript, posted under an article about GMail attacks (!) almost one year ago, sounds totally ironic now [...] […] if Petko is right, a certain comment of his about NoScript, posted under an article about GMail attacks (!) almost one year ago, sounds totally ironic now […]

]]> By: Ninjas http://hackademix.net/2007/09/26/gmail_csrf/#comment-1677 Ninjas Wed, 21 Nov 2007 21:49:33 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-1677 Nice link power! http://http//hackademix.net/2007/09/24/googhole-xss-pwning-gmail-picasa-and-almost-200k-customers/ WOO! Nice link power!

http://http//hackademix.net/2007/09/24/googhole-xss-pwning-gmail-picasa-and-almost-200k-customers/

WOO!

]]> By: Alessandro http://hackademix.net/2007/09/26/gmail_csrf/#comment-550 Alessandro Sat, 29 Sep 2007 14:22:55 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-550 Hi Giorgio! I follow you and your posts from many time. I appreciate your Firefox extension, NoScript, and I suggest its use to all my friends. I work in information security and I can affirm that your extension works fine..It has been tested to arginate several web attack attempt and passes in honest way. Great. Hi Giorgio!
I follow you and your posts from many time. I appreciate your Firefox extension, NoScript, and I suggest its use to all my friends.

I work in information security and I can affirm that your extension works fine..It has been tested to arginate several web attack attempt and passes in honest way.

Great.

]]> By: Giorgio http://hackademix.net/2007/09/26/gmail_csrf/#comment-531 Giorgio Fri, 28 Sep 2007 13:31:02 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-531 @<b>sirdarckcat</b>: Yours is subtle yet scary. If we count all them I'm afraid there are a few more than 5, but I'll better wait the week end to do an ultimate recap ;) @sirdarckcat:
Yours is subtle yet scary.
If we count all them I’m afraid there are a few more than 5, but I’ll better wait the week end to do an ultimate recap ;)

]]> By: sirdarckcat http://hackademix.net/2007/09/26/gmail_csrf/#comment-530 sirdarckcat Fri, 28 Sep 2007 12:54:14 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-530 Cool :P now there are 5 Google vulns hehe http://sirdarckcat.blogspot.com/2007/09/google-mashups-vulnerability.html let's say this is a historic event.. I submited a similar comment to xs-sniper, but it showed a Forbidden error.. :S Greetz!! Cool :P
now there are 5 Google vulns hehe
http://sirdarckcat.blogspot.com/2007/09/google-mashups-vulnerability.html

let’s say this is a historic event.. I submited a similar comment to xs-sniper, but it showed a Forbidden error.. :S

Greetz!!

]]> By: Google Gmail: “E-mail Hijack” via CSRF « Simply Security http://hackademix.net/2007/09/26/gmail_csrf/#comment-526 Google Gmail: “E-mail Hijack” via CSRF « Simply Security Fri, 28 Sep 2007 08:01:25 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-526 [...] XSS, od anche contro le recenti popolari vulnerabilità dei gestori URI. Consigliamo a tutti di leggere interamente l’intervento di Maone che offre numerosi dettagli sulle potenzialità di [...] […] XSS, od anche contro le recenti popolari vulnerabilità dei gestori URI. Consigliamo a tutti di leggere interamente l’intervento di Maone che offre numerosi dettagli sulle potenzialità di […]

]]> By: pdp http://hackademix.net/2007/09/26/gmail_csrf/#comment-498 pdp Thu, 27 Sep 2007 03:05:24 +0000 http://hackademix.net/2007/09/26/gmail_csrf/#comment-498 don't get me wrong, Giorgio work is highly appreciated, all I am saying is that users don't have to be experts in order to know what sites should be able to use scripts. How do u trust a site? If it looks good? In order to trust the application that you are about to grant some permissions you have to really know what you are doing. In that case, how does this helps the normal user? They have to check the source code? It does help if you are visiting some doggy cracking sites and you expect to be hit any moment so u need to put your shields up, but for normal surfing... I don't know man. The web is changing drastically if you haven't noticed. Websites are almost like desktop applications. Do you have an warning from your Ant-vir every time you try to run an app? No! They try to mitigate the problem before warning you, if there is one. And what about mashups? I mean, mashups are just combination of a bunch of services. So in order to run the stupid Google Maps you have to approve all websites the mashup is feeding from or interacting with? This is only for experienced surfers and web dev guys. Anyway, again, great work Giorgio. It is always good to get a different opinion. It helps you see the bigger picture sometimes. As a security expert, I am supposed to preach about Application Firewalls, NoScript, IDSs, etc, but I don't. It is not just black and white. It is all about risk management. You cannot say to someone install this and your problem will be solved. It doesn't work this way. Keep it up. don’t get me wrong, Giorgio work is highly appreciated, all I am saying is that users don’t have to be experts in order to know what sites should be able to use scripts. How do u trust a site? If it looks good? In order to trust the application that you are about to grant some permissions you have to really know what you are doing. In that case, how does this helps the normal user? They have to check the source code? It does help if you are visiting some doggy cracking sites and you expect to be hit any moment so u need to put your shields up, but for normal surfing… I don’t know man. The web is changing drastically if you haven’t noticed. Websites are almost like desktop applications. Do you have an warning from your Ant-vir every time you try to run an app? No! They try to mitigate the problem before warning you, if there is one.

And what about mashups? I mean, mashups are just combination of a bunch of services. So in order to run the stupid Google Maps you have to approve all websites the mashup is feeding from or interacting with? This is only for experienced surfers and web dev guys. Anyway, again, great work Giorgio. It is always good to get a different opinion. It helps you see the bigger picture sometimes.

As a security expert, I am supposed to preach about Application Firewalls, NoScript, IDSs, etc, but I don’t. It is not just black and white. It is all about risk management. You cannot say to someone install this and your problem will be solved. It doesn’t work this way.

Keep it up.

]]>