Showing posts from February, 2011

Gmail Session Management Vulnerability (Mobile Browsers)

Mobile browsers and applications are gaining wide spread populrity with the evolution of iPhone, Android and other mobile platforms. Security has always played the catch-up game with evolution of technology.

It was recently observed that gmail sessions opened using mobile browsers such as safari and Android webkit fails to invalidate the session id when a user logs outs. When a user logs out of gmail, the user is redirected to the login page and asked to re-enter the credentials. Though the end user sees a login page and cannot access inbox unless signed in again, the server session associated with the users login remains active at the server side and becomes an orphaned session. This flaw can be leveraged by an attacker to compromise a victims gmail account.