[retraction] Phishing (not CSRF) leads to domain hijacking

November 25, 2008

Previously I posted about some accounts being hijacked via a *potential* CSRF hack that was being reported.  In my defense I did say…

Have no idea if this is a "new" CSRF version, some regression that made it vulnerable again, or another vector (rumor is XSS rather than CSRF, but no details yet).

…but Google says it isn’t so. Also says that the previous reported domain hijacking(s) weren’t through a CSRF vulnerability.  In the interests of being honest, open, and correct any potential mistakes I make, I’ve updated both the old post, and writing this one.

Now, I’m as skeptical as the next person (ask the people who work with me!), but if they say it’s fixed, and has been for some time, who am I to argue.  The main point I’m trying to make though is despite whatever the vulnerability-de-jour is, webmail is a huge target now that it’s not only just our emails going through it, but effectively our authentication system as well (for lots of places).

With this in mind, we have to make sure that these systems are rock-solid.  There’s no protecting against human stupidity (and I’m stupid as well at times, so that’s not a dig at any user-base inparticular), but it should be really difficult for people to screw up and give attackers access to accounts and their data/info.  There’s far too much to go into the "how" on a stupid blog post like this, and there will be some complaining (both users and programmers) on how to go about this, but I think it’s increasingly becoming obvious that the web just doesn’t have the level of security/quality that it needs to be a "trusted" platform, if that ever can be imagined.

We have such a long way to go.

Posted in Industry, Security