Tuesday, September 18th, 2007
Lets say I found a CSRF that allows me to hijack your Gmail account to send an email from you to another Gmail user… would you consider it a risk? Well, the good news is I don’t have a CSRF to send out email from your Gmail account, but the bad news is I don’t need CSRF (or any other exploit) to send an email from your Gmail account.
Using Google’s SMTP servers, I can send an email from any Gmail (or @google.com) account to any other Gmail email address. The process is simple… and is shown in the images below (addresses masked to slow the kiddies).
This is NOT a vulnerability in Google’s infrastructure… it’s merely how SMTP was DESIGNED to work. This same procedure works on other SMTP servers as well. Many of the old protocols (like SMTP) that we continue to use everyday are inherently insecure. My favorites are DNS, SMTP, and ARP. Many of the exploits based on these protocols aren’t really even exploits… they are simply an abuse of functionality intentionally built into the protocol!
How could we let things get so bad? Why should I be ALLOWED to send an email on your behalf, sending colorful messages to other Gmail users? Honestly…. I don’t know… what I do know… is instead of fixing the underlying protocol (which is painful, costly, and resource intensive) we’ve “bolted on” temporary fixes like spam filters to help us “fix” the issues with the underlying protocol. After a while… we get used to having these “bolt on” and the temporary fixes become permanent fixes and the underlying protocol remains vulnerable to simple attacks like this one.
I know what you’re saying…. “SMTP was created in the wild wild west… times have changed… that will NEVER happen again!” The sad thing is… we’re starting to see the same things happening to HTTP. Just as SMTP Admins have turned to Spam filters and other appliances to make up for the shortcomings of SMTP, we are now seeing that many are turning to Application Firewalls to make up for the shortcomings of HTTP and poor coding practices. There are some that claim that application firewalls are a great “temporary fix”, and they probably they are! Just as Spam filters were a temporary fix for SMTP abuses!