[Full-Disclosure] Gmail Information Disclosure Vulnerability
amforward_at_mailsurf.com
Date: 07/04/04
- Previous message: Mortis: "RE: [Full-Disclosure] The "Drew Copley is a prick" Poll update [Time to Grow Up]"
- Next in thread: System Outage: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
- Reply: System Outage: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
- Maybe reply: amforward_at_mailsurf.com: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
- Maybe reply: amforward_at_mailsurf.com: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
- Maybe reply: Geoff Shively: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Sun, 4 Jul 2004 19:10:44 +0000
Brief
--------------
While I was playing with Gmail, I found a bug that may disclose
information about the users currently attempting to register a new
Gmail account. This seems to be a vulnerability with low severity (at
least until now).
CheckAvailability Script
--------------
In the registration page, the "Check Availability" button queries a
certain script, namely /accounts/CheckAvailability. The script takes
the desired username, and checks if it is available. If it is not
available, it suggests other usernames by contactenating, for example,
your last name to it.
The Problem
--------------
There seems to be a thread-safety problem with CheckAvailability
script. When the script is under heavy stress, it may return answers
to queries that are not yours, revealing others' desired usernames,
and first and last names.(see attached screen shot)
Reproduction
--------------
To reproduce it, you should:
AND
a. Have a valid Gmail invitation
b. Frequently Invoke CheckAvailability by
~ OR
~ 1. Creating a tool that automates the script invocation.
~ 2. Having the patience and keep clicking the button frequently (this
works too!).
I have not yet carefully studied the script, but I think it might not
be a problem with this script only, but others as well. Your thoughts
are appreciated.
Regards,
Ahmed Motaz
------------------------------------------------------
Mailsurf.com your communication portal for SMS,
Email, Fax, E-Cards and more. www.mailsurf.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Mortis: "RE: [Full-Disclosure] The "Drew Copley is a prick" Poll update [Time to Grow Up]"
- Next in thread: System Outage: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
- Reply: System Outage: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
- Maybe reply: amforward_at_mailsurf.com: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
- Maybe reply: amforward_at_mailsurf.com: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
- Maybe reply: Geoff Shively: "Re: [Full-Disclosure] Gmail Information Disclosure Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
