Update (Dec 30th 2008)
It seems that the original report was not accurate and it was not a CSRF vulnerablity that was exploited. The mistake is reported by the victim in an imaginary discussion with Google blog post (Search the page for XSRF) and by Google. Google hints that it was a phishing attack, but David Airey is not convinced.
Many times we dismiss seemingly minor vulnerabilities in major web sites. Most notably, "yet another" XSS or CSRF vulnerability in a well known service is not considered news anymore. However the following story proves that no matter what, such vulnerabilities cannot be ignored.
The attack is simple, the result pretty frightening. An attacker, presumably Iranian, stole the domain name of David Airey, a graphic artist and a known blogger. The attack was very well timed with David's leaving to a long vacation. The goal was to extort money in order to return the domain. In David's case there is a happy end, as the attention he got helped him receive his blog back, with some loss in traffic, search engine ranking and time. But other victims of the attacker who steal domains for living may not be as fortunate.
Additional information:
- When fixing is not enough [Securiteam, Dec 28 2007]
- WARNING: Google's Gmail security failure leaves my business sabotaged [David Airey, Dec 24 2007]
- Google GMail E-mail Hijack Technique [GNUcitizen, Sep 25 2007]
- Collective effort restores David Airey.com [David Airey, Dec 27 2007]
