[cap-talk] Security considerations for cookies

[Sandro Magi]

On 15/02/2010 9:05 AM, Mark Seaborn wrote:
> I would call this attack a kind of spoofing, rather than CSRF.  Rather
> than one site spoofing another, it can be one account or page spoofing
> another on the same site.  Tyler's Petname toolbar would not help in
> this case.  Maybe this can be addressed by petnames that are
> finer-grained than a site, which might require sites' co-operation to
> establish.

I agree, but gmail already sports a solution: require the user to pick a
custom theme, colour scheme, or a unique icon for his webmail interface,
which is prominently visible on each screen. It should be exceedingly
unlikely that the attacker could know and pick the same one. The user
will immediately see that he is not in his inbox.

One must also guard against the possibility of the JS in the page being
redirected in the background to another account while still displaying
the old icon/colour scheme/theme.

Sandro