Yikes! Possible XSS Exploit on forum login? GMail possibly accessed?

Discussion in 'Uber Entertainment Discussion' started by overand, September 10, 2013.

  1. overand

    overand New Member

    Messages:
    1
    Likes Received:
    0
    Hey folks - I just had a VERY strange thing happen when I attempted to log in to the forums via Google Chrome. (Well, Chromium on linux).

    I followed the /forums/backers-lounge.64/ link in the recent backer e-mail, and when I logged in - the uberent page was immediately replaced with *my* gmail window, open and logged in (as it had been in another tab).

    I don't know a ton about what modern XSS (Cross Site Scripting) exploits look like, but I have a feeling they might do something like this.

    I've just logged in this way via a different brower (Opera) that is not logged in to gmail.

    I would HIGHLY suggest that a security expert review the code of that login page, and perhaps use "TamperThis" to see what data is going where. I've never experienced a quirk like this, and I really have a feeling that it may be code someone injected into the login page.

    You can contact me directly via my-username-here at gmail, of course. (And I changed my password - which I advise everyone else do as well, especially if they've had this same experience).

    Anyone else have this happen? Please let me know!
    overand, September 10, 2013
    #1
  2. LennardF1989

    LennardF1989 Uber Contractor

    Messages:
    798
    Likes Received:
    323
    No worries, this is because you clicked the link from within Gmail and because you weren't logged in yet, the forum grabbed the last page you visited (also called HTTP referer), which in this case was Gmail.

    This actually brings a good bug to light in that I should discard any "last visited page" that was not the forum. Thanks!

    And no worries about XSS, any modern browser makes it practically impossible in that even if I purposely would make it possible to inject code, it still wouldn't work. Also, people would not be able to steal anything useful from this forum except for maybe e-mail, because no passwords are stored at all, this is all handled off-site. Last but not least, this forum, even if I gave someone source access, would not be able to steal your Gmail credentials unless they turned it into a fake login-page, and I doubt you would enter your credentials on such page when expecting to find a forum ;)

    EDIT: This bug is now squashed, thanks again!
    Last edited: September 10, 2013
    LennardF1989, September 10, 2013
    #2

Share This Page