Google Reader’s “share item” function is known to be vulnerable to CSRF for quite some time, but this is the first time I personally witness such an attack (not a particularly malicious one, but can be highly viral). Just in case you run into similar sites like above people did, remember this Internet rule:
“Click-here-to-view-more-hot-girlz” site is always a scam, the only difference is how deep of a trouble it can bring to you.
Attached the source for your viewing pleasure: a straightforward attack, and because it spreads through Google Reader/Buzz, which itself builds on top of “trusted relationship“, we expect an exponential victim growth. (ie. the victim platform carries the virus further, this symptom has been observed in various attacks on socialized services, for instance Twitter/Facebook attacks.)
source (at) pastebin, also wiki on CSRF
Update at 19:42 GMT+8: Some high-profile GR users are now affected, expect this CSRF to affect a lot more people. Check your GR Share & Notes if you have been to this site.
Update at 20:29 GMT+8: 懒得翻译中文了……简单一句，假如你通过GR或Twitter看过某自称“按用户点击排名的美女聚合网站”，请检查自己的GR分享与评论。你的GR个人密码安全无恙。
Update at 21:12 GMT+8: Edited article to reflect latest status.
6 thoughts on “Google Reader Sharing CSRF”
在 twitter 上点了别人发的链接就中招了…
看到此文就去把 shared item 删掉, “你的GR个人密码安全无恙” 这点确定的话… 就懒得改密码了 =,=
I know now, my english is so poor
Comments are closed.