Guess what will happen if you add an image like below in your html page:

<img src=”http://mail.google.com/mail/?logout&hl=en”  />

It does not appear in page, but your google account in another window or another tab will get logoff. Now an external website could logout you from your gmail or orkut.

IF you coded your website to delete a photo or object from the website, like this: www.domainname.com/photos/delete?id=221, you may think , since you are checking user authentication at server side, no one else can delete your file. But what if you are logged in one tab and in the second tab, you are loading another website (of hacker or attacker), he can place lots of hidden images with src = www.domainname.com/photos/delete?id=22 ( he can try with ids from 0 to 1000 or 10,000, and anyone of them may be your object)

Here the authentication is okay , because the cookies and session is already set in another tab, and it affects (update or delete) your content.

Those who think , I use POST method , so it is safe. Sorry, you are wrong. A javascript can also simulate a post method, and by using this, an external website can update your form (For example they can run a form submission for changing the email which you registered with and later they can reset password to hack your account)

It won’t happens if you use captcha. But for all forms it is very hard to use CAPTCHA everywhere. You can solve this attack using additional parameter (some string combination which is generated randomly) along with GET url or POST form submission.

For example, check the url to delete a mail in gmail.

http://mail.google.com/mail/?ui=2&ik=42e598c952&at=xn3j2ufyx273muje67ot1fsxsnbmnl&
view=up&act=tr&rt=j&search=inbox

There is some extra string alone with useful information as parameter. So an external application cannot predict the exact url to delete a particular mail, so img with src= url fails here.

Same thing is also needed in POST method. Add one hidden field for random string and check the string before updating into database from Server.

This problem is called CSRF – Cross Site Request Forgery

Thanks
Sajith

Tags: cookie, csrf, get, gmail, hack, hacker, post, safety, security, session, web application

Hello programmer,

If you are a programmer, you  might experience on saving your different ftp , email , website credintals (usernames and passwords) . Someone uses google documents for saving passwords. Some use email itself as a password storing medium. To be more secured, you have to save your passwords in you local machine rather than putting them into any other 3rd party online medium.

Truecrypt is an open source software for saving secured data (Folders and files). It is available for most of the operating systems (Windows, Linux, Mac etc). The advantage of TrueCrypt is, it creates a seperate partition or storage device as a normal USB memory stick. When you mount the partition it asks for a secured password. You can save your personal and secret files inside this partition. You can creates more than on partition using this software. So you can seperate your data files if you needed.

Here is the website url: http://www.truecrypt.org/

It also provides two level security. It adds a hidden file inside another secured file, so that when an adversary forces you to reveal your password, or forces you to open the secured folder, there is no chance for them to view the hidden encrypted file.

For more details visit:

http://www.truecrypt.org/hiddenvolume.php

Tags: file, folder, google document, hack, password, save, secure, truecrypt

Many people already blogged about this article. I made the same experiment. It works.
If you want to find say xyz@gmail.com is invisible or not.
Open your gtalk app and type this email address in top search textbox

Click the profile, it opens in new window as usual

Click on the down arrow button in the top right corner of the window, and you can see Go off the record link there.

And type any chat, say “hi”

You will get a red text showing the “person is offline , can’t receive the message right now ” implies the  person is offline

(The above pic shows user is actually offline)

If this message does not appear, it means the user is invisible

(The above picture shows user is invisible- since no warning message in red color)

To know more about gmail and gmail chat visit my post series

http://www.sajithmr.com/series/gmail-architecture/

Regards

Sajith

Tags: chat, chatting, check, featured, gmail, gtalk, hack, invisible, off the record