Google Reader CSRF
Google Reader, a Google product to display RSS feeds I regularly use, is vulnerable to CSRF. By displaying img and iframe tags without proper sanitization and security checks, one can force the user to visit a malicious URL. This URL could simply be a javascript file which does a POST to a Google web application. The POST will succeed, provided the user is actively logged in to the web app being attacked. The 0xfeedface RSS feed provides an example attack, titled "Test Post 4" which logs the user off all Google web apps. Please note that viewing the RSS feed in a browser (such as firefox) might also log you off Google web apps.
Edit (17 Dec 2009 12:00 AM GMT-7): The example attack in "Test Post 5" is a more likely scenario. I will be using Test Post 5 to figure out if I can do more than log the person out (maybe send emails through GMail).
AddToAny
Powered By:
Comments
Trust
It's good to be aware of the vulnerability in Google Reader, and it's obviously a problem that Google should fix. In the mean time, it would be wise to stick to subscribing to trusted RSS feeds. An attacker would need to inject malicious tags into the source of the feed in order to take advantage of the vulnerability. So, as long as your feeds don't contain any user or publicly submitted feed items, and you trust the feed source to not be malicious (or compromised), then you're safe.
Can't trust Shawn ;P
It logged me out, even from Firefox's RSS reader. That's interesting.