Pageviews

Tuesday, 17 January 2017

Browser caching may hideout your Gmail privacy.

Lets make it simple....

Steps to Reproduce :

1. Login to your Gmail Account from "Mozilla"
2. Perform any dynamic activity.
3. Log Out (Do not Close the browser)

Now, lets view the "view-source" of Gmail from Mozilla.

Visit : view-source:https://mail.google.com/mail/u/0/

If everything went perfect, you should be able to view all the recent mails which was send and receive for that logged in user.

However when we reported this to Google this is what they replied :

Google :
Hello,

We've investigated and determined that this is a caching bug in Firefox. Firefox uses the cached version of a page when viewing the source, and it appears that Firefox is not respecting the caching headers that Gmail is sending. This isn't reproducible on Chrome,
which reloads a page when viewing the source.
You should be able to file a bug with Firefox at Bugzilla.Mozilla.org.


Regards,
Michael, Google Security Team
==

and when reported to Mozilla they removed the security flag from the bug by saying "this is not remotely exploitable"

Then again reverted back to Google and this is what they said :

Google :
 Hey,

Thanks for the bug report.

We've investigated your submission and made the decision not to track it as a security bug. It will also not be accepted as part of our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and unfortunately we feel the issue you mention does not meet that bar :(

In order to conduct the attack the evildoer needs to reuse the same local user account. Because the operating systems themselves do not protect against attackers with this level of access, any fix we could implement would be easy to bypass, and we don't want to offer a false sense of security to our users. Check out https://sites.google.com/site/bughunteruniversity/nonvuln/attacks-working-only-when-sharing-local-account-with-the-attacker where we have written about this case.

If you think we've misunderstood, please do let us know!
==

It is a simple bug, that can have significant consequences, but google simply said,Who cares ?
Where Mozilla is still working on this.
Note: This works on all OS and any versions of Mozilla in Mobile as well.

Video POC :




Bug reported by : Sebastian Gr├╝nwald, Dhiraj Mishra, Japz Divino.

1 comment:

  1. This is Remotely Exploitable in case of Teamviewer Session Hijack. It was a vulnerability in Teamviewer which makes their attacker have full control of other Person's Computer. The Bug Should be fixed by Mozilla as it's their browser which uses cached page to view source.

    ReplyDelete