Google Cross-site Request Forgery - Google Blogoscoped Forum

Forum

Google Cross-site Request Forgery
Roger Browne	Monday, September 25, 2006 2 years ago • 1,214 views
Slashdot user "Dwonis" drew my attention to a page by Dwayne C Litzenberger where he demonstrates how easy it is to change the Google preferences of a person who visits your website: dlitz.net/stuff/xsrf/ Dwayne's example comprises this "harmless-looking" link: dlitz.net/stuff/xsrf/poodles/ which when clicked will change your Google language to Irish. Dwayne also provides a link to switch back to English: google.com/setprefs?hl=en& ...
Ionut Alex. Chitu	2 years ago #
So the problem here is that you can change the settings using a GET. You can also load an URL like this in a hidden iframe, right? google.com/setprefs?hl=fr& ...
This thread is locked as it's old... but you can create a new thread in the forum.

Advertisement

Blog | Forum more >> Archive | Feed | Google's blogs | About

Advertisement (advertise here?)

Find the right keywords for your campaigns at KeywordDiscovery.com

Google Apps Hacks (book)

Advertise here?

This site unofficially covers Google™ and more with some rights reserved. You can subscribe to the feed, email your tips and join our forum!