3

Google is a famous example of not blocking CSRF on logout/logoff pages.

Some vulnerability reporters contact us about the ability to log out Google users by navigating their browser to a particular URL. In some ways, this behavior is undesirable, but we believe that it cannot be reliably addressed on the modern web: for example, malicious websites may also simply overflow the browser cookie jar and drop your authentication cookies for other websites on the Internet.

The as of today most popular answer to Must login and logout action have CSRF protection? disagrees, citing phishing concerns. The second most popular answer says it's not necessary, but the attack could cause inconveniences. The third answer says protection is a must.

Why does Google take a contrary stance here? Why does Google keep this stance and/or, why do so few individuals seem to agree?

Note: Numerous places online reference the fact that Google has discussed this "ad nauseum," but I didn't find the actual discussions.

Edit: It's not just Google, but many major sites do this.

Edit 2: This question is not a duplicate of Must login and logout action have CSRF protection? because I am not asking whether a page needs to have logout CSRF protection or not. I am asking

  1. What Google's reasoning for their stance is (they provided only a portion of their reasoning in the quoted excerpt) and
  2. Why there is an apparent division between Google and the answers on that question.

This question is primarily trying to unpack the reasoning for Google's security decision, a detailed case study rather than a broad treatment.

Community
  • 1
jtpereyda
  • 1,430
  • 2
  • 16
  • 26
  • 1
    Possible duplicate of [Must login and logout action have CSRF protection?](http://security.stackexchange.com/questions/62769/must-login-and-logout-action-have-csrf-protection) – h4ckNinja Oct 12 '16 at 23:44

1 Answers1

2

Logoff CSRF has no real impact. CSRF is also called a "session riding" attack, in which an adversary wants to use the authenticated session to have some useful side-effect. Ending the session is counter-productive to a real compromise - such as changing the email or password on a target's account.

Most features are vulnerable to CSRF by default, and the developer has to go out of their way to stop the problem. Google search is also affected by CSRF, and it has no impact, because this request doesn't have an interesting side-effect. A google search request only displays interesting data which the attacker cannot see.

rook
  • 46,916
  • 10
  • 92
  • 181
  • 3
    "Google search is also affected by CSRF, and it has no impact" -- tho could depend on your local government and ISP. If you're submitting non-HTTPS searches for."bomb making", that might be of interest to somebody. Also it affects google targeted advertising – Robert Fraser Nov 12 '16 at 03:17
  • I agree that the impact is typically minimal, but an attacker can still cause inconvenience or leverage for phishing (see https://security.stackexchange.com/q/62769/5997). So Google must have some specific reason _not_ to block it for logout. Maybe there's a certain UI flow that works better without CSRF protection enabled? – jtpereyda Apr 20 '20 at 17:50