Garo Garabedyan's Divergent Thinking Blog

Logout CSRF is thread to RIA

leave a comment »

I have performed some experiments at home to prove that logouting a user from a rich internet application using cross-site request forgery (CSRF) is possible in some apps and very dangerous to the rich experience of the user as the letter even can not understand that is no longer authenticated and, thus, will believe that is receiving automatic updates but is not.

Rich internet applications turn web browsers and internet into a platform for applications with excellent user experience. The user might even not understand that is working on a server located thousands of miles away as on the application reacts fastly on user iteractions.

Gmail Logout CSRF: To logout a user from Gmail he should visit https://mail.google.com/mail/?logout (from the same browser the user is logged in any Google app).

Result of Gmail Logout CSRF:

Gmail provides no indication that you are no longer logged in. You can even open some conversation due to it is cached in the client (ajax-enabled page in the browser) but on more detailed view of a conversation or something different which initiates server request it redirects you to the main login page with no additional explaination.

After about 40s Gmail Chat presented this error message “Oops. Your chat connection may have been interrupted.” Gmail has no information. It have tried to reconnect in 15s and later in 62s. In 1:30 min. since the logout CSRF the page have redirected to the main login page.

With disabled Gmail Chat a similar behaviour was observed. It tells you again in Gmail Chat that the connection may have been interrupted.

In Google Docs when the user is editing a document after Gmail Logout CSRF everything is implemented fine. It tells you “You are signed out. Refresh the page, or sign in from another tab.” with the proper user interface changes which happens about 10-20 s after a logout. Google Docs have an auto-save functionality which initiates server requests very often.

Google engineers suggest that loading a web page slower than 2-3 s. makes most of the users to avoid returning back to the page.

Facebook Logout CSRF: No Logout CSRF possible.

Users of Facebook spend a remarkable amount of time logged in the social network simply to receive updates from friends, groups, etc.

Advertisements

Written by garabedyan

November 3, 2010 at 23:59

Posted in Uncategorized

Tagged with , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s