[Owasp-ireland] Fwd: Breaking Google Gears' Cross-Origin Communication Model

Eoin eoin.keary at owasp.org
Tue Dec 9 07:46:42 EST 2008

---------- Forwarded message ----------
From: Yair Amit <AMITYAIR at il.ibm.com>
Date: 2008/12/8
Subject: Breaking Google Gears' Cross-Origin Communication Model
To: webappsec at securityfocus.com


I recently discovered a flaw in the cross-origin communication security
model of Google Gears that could allow attackers to break-out of the
same-origin policy and mount large scale user-impersonation attacks under
certain conditions.

After coordinating a fix with Google, I can now reveal the full details.
You are invited to read them at

To make sure you are secure, it is advisable to verify that you have the
latest version of Google-Gears (currently installed on your
system. If that is not the case, it can be obtained from the Google Gears
website (http://gears.google.com).

I would like to thank the Google Gears security team for their quick
responses and the efficient way in which they handled this security issue.

Best Regards,
     Yair Amit
     Senior Security Researcher
     IBM Rational Application Security

Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this Whitepaper


OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)

Quis custodiet ipsos custodes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20081209/ed2c9e9d/attachment.html 

More information about the Owasp-ireland mailing list