Logout/Login CSRF

·

Simon Willison points to a report that discusses "login CSRF" attacks, where "an attacker uses CSRF to log a user in to a site (eg PayPal) using the attackers credentials, then waits for them to submit sensitive information".

I wrote an email about this to Google's security address a few weeks ago (not having seen this existing discussion) and they never replied, so I guess they don't think of it as serious (and in fact there's not much they could do about it anyway - they already display the logged-in account name prominently at the top of the page, which is all they can really do).

Here's an example page which will log a visitor out of their Google account (not sure if this step is even necessary) then log them back in to an account I created, which has Web History enabled. Any subsequent Google searches, if the person doesn't notice that the account they're logged in as has changed, will be visible to anyone who has the password to the false account.

If there was a requirement that a browser is logged out of an account before it can be logged in to a different account on the same site, then you could use security tokens to protect against the 'logout' action, the same as for any other CSRF, but that wouldn't protect anyone who's using the site anonymously (so wouldn't be logged in in the first place). It's more of an annoyance at the moment: for example, if you can get <img src="/logout"> onto a Drupal site, perhaps through a post picked up by the aggregator, then anyone looking at that page will be logged out of the site. Again, the Drupal security team doesn't view this as a problem…