-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2/12/10 3:37 AM, Kristian Erik Hermansen wrote: > Greetings, > > Google Buzz is an incredibly useful new social networking service. > However, it is also quite vulnerable to persistent CSRF attacks when > data is pulled from external data feeds. For instance, I encourage > you to follow me me on Google Buzz by utilizing my profile below and > clicking "FOLLOW". You can probably also search for me in Google > Buzz's interface within GMail as well. > > http://www.google.com/profiles/kristian.hermansen > http://kristian-hermansen.blogspot.com/2010/02/google-buzz-csrf-test.html > > My proof-of-concept merely executes a denial of service against Google > Buzz users for which the only recovery is to disable IMG tag loading, > reload Google Buzz, and either "mute" the posting or unfollow me > permanently. This is non-intrusive PoC to demonstrate weaknesses and > the ever-increasing need to protect against CSRF attacks. I hope you > enjoy the demonstration. > > Cheers,
Doesn't work for me -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt1btgACgkQAr2PPaFwRuqU9gCfcYu8WjlZIhkVcM9RWkiX8UYP nnAAnj1z7kEsIW5ii71dKzCK+LB79D3Y =0x85 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
