Comments on: CSRF-ing “Blogger Classic” http://www.gnucitizen.org/blog/csrf-ing-blogger-classic/ Information Security Think Tank Tue, 06 Jan 2009 08:15:53 +0000 http://wordpress.org/?v=2.7 hourly 1 By: Adrian Pastor http://www.gnucitizen.org/blog/csrf-ing-blogger-classic/comment-page-1/#comment-72479 Adrian Pastor Sun, 18 Nov 2007 04:30:12 +0000 http://www.gnucitizen.org/blog/csrf-ing-blogger-classic#comment-72479 Hello mana, As mentioned in my previous comment on this page, Google fixed the issue back on January 22 2007. Hello mana,

As mentioned in my previous comment on this page, Google fixed the issue back on January 22 2007.

]]> By: mana http://www.gnucitizen.org/blog/csrf-ing-blogger-classic/comment-page-1/#comment-71621 mana Thu, 15 Nov 2007 22:57:00 +0000 http://www.gnucitizen.org/blog/csrf-ing-blogger-classic#comment-71621 interesting write up, is there a fix for this attack? interesting write up, is there a fix for this attack?

]]> By: pagvac http://www.gnucitizen.org/blog/csrf-ing-blogger-classic/comment-page-1/#comment-2659 pagvac Mon, 22 Jan 2007 23:39:18 +0000 http://www.gnucitizen.org/blog/csrf-ing-blogger-classic#comment-2659 The reason for adding a comment to the post is that today January 22 2007, I examined the "add new user" request of both, Blogger Classic and New Blogger and I was impressed that Google had added tokens for both versions of Blogger. At first, when I informed Google and forwarded the research, they simply replied with automated emails, finally pointing me to a Blogger help URL. So I thought they didn't care much about CSRF issues. However, I must admit that I'm very impressed with them since they fixed the problem very fast. It'd be nice to get additional ideas from some of you guys if possible. Here is an example of the fixed "add new user" requests for both versions of Blogger (notice 'securityToken'): <pre><code>POST /add-authors.do HTTP/1.1 Host: www2.blogger.com blogID=12345678&securityToken=fmA1trWgTvwf6XZIlyn9WI_n0Nc%3D%3A1169507915539&authorsList=%3Cattacker%40domain.com%3E%2C+&submit=true</code></pre> <pre><code>POST /add-authors.do HTTP/1.1 Host: www.blogger.com blogID=12345678&securityToken=fmA1trWgTvwf6XZIlyn9WI_n0Nc%3D%3A1169507915539&authorsList=%3Cattacker%40domain.com%3E%2C+&submit=true</code></pre> P.S.: I forgot to say thank you to Jeremiah Grossman who kindly gave me feedback on this research. The reason for adding a comment to the post is that today January 22 2007, I examined the “add new user” request of both, Blogger Classic and New Blogger and I was impressed that Google had added tokens for both versions of Blogger.

At first, when I informed Google and forwarded the research, they simply replied with automated emails, finally pointing me to a Blogger help URL.

So I thought they didn’t care much about CSRF issues. However, I must admit that I’m very impressed with them since they fixed the problem very fast.

It’d be nice to get additional ideas from some of you guys if possible.

Here is an example of the fixed “add new user” requests for both versions of Blogger (notice ’securityToken’):

POST /add-authors.do HTTP/1.1
Host: www2.blogger.com

blogID=12345678&securityToken=fmA1trWgTvwf6XZIlyn9WI_n0Nc%3D%3A1169507915539&authorsList=%3Cattacker%40domain.com%3E%2C+&submit=true
POST /add-authors.do HTTP/1.1
Host: www.blogger.com

blogID=12345678&securityToken=fmA1trWgTvwf6XZIlyn9WI_n0Nc%3D%3A1169507915539&authorsList=%3Cattacker%40domain.com%3E%2C+&submit=true

P.S.: I forgot to say thank you to Jeremiah Grossman who kindly gave me feedback on this research.

]]>