CSRF/XSS in GMail leads to domains being stolen
November 24, 2008
News over the weekend points to a new version of a previous exploit against GMail being used to steal user’s domains through register transfers.
I actually used this very exploit as an example in my CSRF talk at SDBP, so know that the original version was fixed. Have no idea if this is a “new” CSRF version, some regression that made it vulnerable again, or another vector (rumor is XSS rather than CSRF, but no details yet).
I’m not all that amazed at the commend in Digg on this – it (still) seems that CSRF is not a very well known attack vector. One commenter even thinks that turning SSL on makes this go away! I remember the days when many people thought SSL was the solution to all many webapp vulnerabilities 
In any case, I think one of the comments was spot on
GMail could fix this by simply asking you to confirm password when setting a filter that deals with an external email address.
It’s pretty clear by now that technology-only solutions are not keeping up with the attacks. For things that are as critical as email (and banking), I don’t think users will be all that pissed off if they are asked for their password whenever a sensitive operation is about to take place. In asking for information that only the legitimate user will know, and can’t be dug out of a page/request, these attacks are effectively mitigated.
This of course doesn’t help in any way people that choose weak passwords, but that’s another problem.
Updated 11.25.08:
http://www.mikeandrews.com/2008/11/25/retraction-phishing-not-csrf-leads-to-domain-hijacking/
Posted in 
November 25th, 2008 at 8:47 pm
[retraction] Phishing (not CSRF) leads to domain hijacking | Mike Andrews said:[...] I posted about some accounts being hijacked via a *potential* CSRF hack that was being reported. In my [...]