search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Google Reader cross-site request forgery vulnerability

Vulnerability Note VU#378688

Original Release Date: 2007-04-18 | Last Revised: 2007-09-12


Google Reader is vulnerable to a persistent cross-site request forgery attack that may be exploited by a specially crafted RSS feed.


Google Reader is an online RSS feed reader. It can display text and images when displaying RSS feeds.

Google Reader contains a cross-site request forgery (XSRF) vulnerability that could be used to prevent a user from logging on to the service.

The Google Reader logoff button can be represented as a hyperlink. An attacker may be able to execute this link by supplying it as an image source in a malicious RSS feed. Once a user subscribes to the RSS feed, they will be unable to login to their Google Reader account.

Note that an attacker would have to convince a user to load a malicious RSS feed to exploit this vulnerability.


A remote unauthenticated attacker may be able to prevent a user from logging in to Google Reader.


We are currently unaware of a practical solution to this problem, however the following workarounds may help mitigate the vulnerability.

Do not load images from third party sites

Preventing third party sites from loading images in your web browser may mitigate this vulnerability. See the references section of this document for information on how to block images in specific browsers.

Vendor Information


Google Affected

Updated:  April 18, 2007



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group Score Vector



This issue was reported on the GNUCITIZEN blog.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: None
Severity Metric: 0.84
Date Public: 2007-04-16
Date First Published: 2007-04-18
Date Last Updated: 2007-09-12 17:22 UTC
Document Revision: 6

Sponsored by CISA.