not mentioned in the original post is that the change password field also gives you the option of entering the answer to your 'secret question' rather than your password as the second token.<p>you replace the password query params with:<p>&group1=IdentityAnswer&IdentityAnswer=ANSWER_GUESS<p>not as improbable to guess since Google do not enforce a standard on the secret question answer (ie. with 'place you were born' you could just list major cities and probably get a hit every so often)<p>if you had access to a high traffic site (thank-you wordpress hax) you would probably harvest a number of accounts using this in an IFRAME pretty quickly. you just need to add some javascript to somehow inform you which ones were a success.
I believe the (poorly explained) rationale behind the alert is that the CSRF allows the attacker to brute force the password without triggering a captcha, as happens on the main login page after a couple of bad logins.<p>If you sent out spam containing a CSRF link that tried a dozen or so of the most common passwords, you might get a few hits, though I don't know why anyone would bother. Still, if I were Google, I would just fix it.<p>I'm a bit surprised that Google doesn't have a generic authenticity system for all of their forms, or if they do, why it would be omitted from this one form.
I understand that this threat isn't particularly worrisome, but articles like this one remind me just how dependent I've become on gmail and how vulnerable as a result. I've now got years of info including everything from purchase receipts to personal conversations of high sentimental value. If someone were to either hack my password or simply cause my account to be disabled I'd be seriously screwed.<p>I'm now feeling like I need some sort of backup or other protective measure.
Gmail asks old password before allowing to set new one, so the attack script is brute-forcing the password by submitting requests from a hostile page visited by the victim. It will take 150 million HTTP requests to brute-force a 6-letter password from 26 possible letters.<p>I suspect red flags will come up at google after first couple million requests. Or the victim will leave the hostile page he was lured to.
If google allows strong passwords such as "Password1" then I'm sure quite a few users would pick such a simple password, and I'm sure attackers realise this.<p>It would be wise if google forced the user to enter the capcha on password change.<p>Disallowing GET would be good as well. Otherwise attackers would would have to use POST, which would mean tricking the user to submit a html form, and I'm unsure if you can send multiple POST requests per submit.