Image via Wikipedia
I’ve briefly covered Cross Site Request Forgery (CSRF) before on this blog when talking about the exploit I discovered in About.com polls. It is one of the most common vulnerabilities on the web as it exploits the inherent way in which browsers handle HTTP cookies. It is also (for the most part) easily preventable if you know what you are doing.
A few weeks ago, I was thinking about a type of CSRF attack that is less well-known, but could potentially be very annoying for an end-user: Logout CSRF. Most (if not all) websites that have some form of login also have a method for handling logout, and usually this method involves the user simply clicking on a link. The link takes the user to a page which destroys their session cookie, and thus they are no longer logged in as a user.
What has this got to do with Google? Well, Gmail is vulnerable to this type of attack. The URL for logging out of Gmail is “https://mail.google.com/mail/u/0/?logout“, and any HTTP GET request sent to that URL will destroy your Gmail session cookie. To see it in action, log into your Gmail account and visit this page: http://cryptogasm.com/gmail-logout.html (I’ve purposefully not made it a link, so just copy it and paste it in your browser’s address bar). Once the page has loaded, refresh your Gmail account, and you should be logged out. (Note: This attack does not affect your account in any other way, all it does is log you out).
I alerted Google over this fact, and it seems many people have done so in the past, because I got referred to a section of their bug documentation specifically addressing this problem. What stands out for me is this line:
At this time, the ability of malicious web sites to log users out of unrelated web applications is essentially unavoidable; it is a consequence of how the web is designed, and cannot be reliably prevented by any single website.
Whilst it is true that CSRF is a consequence of how the web is designed, it is completely untrue to say that such an attack is “essentially unavoidable”. On the contrary, Logout CSRF is easily thwarted by including a unique token in the logout URL that is purposefully hard for attackers to guess or brute-force. Many sites do this, including the WordPress admin panel from which I’m writing this article. This way, only an HTTP GET request that includes a valid token will log the user out.
In Google’s rationale for essentially ignoring this problem, they cite a blog post by one of their employees, Chris Evans. In it, he claims that it is “futile” to defend against Logout CSRF since there are other methods of destroying a session cookie, like cookie forcing and cookie bombardment. Whilst this is true, note that both these techniques need some level of skill to implement, whereas the simple Logout CSRF I created took me less than a minute to get working. If you limit the methods that can be used to successively perform an attack, you limit the number of attacks.
This sort of thing makes me wonder if Google really understand CSRF, or whether they really don’t care about their users.