Slashdot Mirror
Gmail Accounts Vulnerable to XSS Exploit
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
My google stock. My poor google stock!
I know I'm going to be modded up on this
just a bit irresponsible to be coming out with this before Google has had a chance to fix it?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
The articles reveal that the basic design of the bug is to snatch the victim's cookie, and then the hacker can use that cookie to get into the account forever more. That cookie will always lead to the victim's account no matter what... even if they log out, even if they change their password, the cookie will still be valid authentication.
The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.
It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.
Maybe some hacker will make a program to break into every gmail account, read their mail, and send them ads about what people are talking about in mails!!!
Cross site scripting should not be considered a vulnerability.
I waited so long to get a Gmail account, I don't care if it sucks now... I also like Doom3...
So isn't the real issue that there are bugs that allow your cookie file to be exposed? Shouldn't those be considered critical security bugs regardless of what Google does?
The first person to fix the exploit will get a FREE GMAIL INVITE!
Holy $!@#)( this is bad news. Let's hope the Google people resolve this very, very quickly.. or I'm switching e-mail providers (yet again).
I am the maverick of Slashdot
Did anybody else notice when they were coming up with unique login names when they first set up their gmail account that oftentimes the "Blahblah@gmail.com is taken" message would often be some other email address somebody else was trying? I mean, if you tried "johndoe@gmail.com" and it was taken, sometimes it would respond with "joeschmoe1234@gmail.com is already taken, try again".
Never heard of XSS until now (like me)? Here is one summary one summary of what the cookie theft looks like.
To-do List: Receive telemarketing call during a tornado warning. Check.
Anybody who uses a beta product for critical email shouldn't be entirely surprised when they run into trouble...
I've been using the Gmail account for stuff I could afford to lose, since there doesn't seem to be any way to shift it in bulk to my home computer. Now I'm really glad I didn't use it for anything important.
See what I've been reading.
Don't Use gmail..
Can I have that invite now?
Just joking I already have a gmail account, as a sidenote gmail is the best free email service I have used.
Real protocols like IMAP4 still secure when using proper authentication and SSL.
I may be misinterpreting the story, but it sounds to me like you need more than just the username: you need to actually trick the user into giving you their GMail cookie by phishing. Obviously, this is a huge security hole and Google should fix it immediately, but it's not quite the same as the Hotmail backdoor from last year, which didn't require phishing at all. As long as you don't ever click on a link that sends you to GMail from an untrusted source, you should be safe.
They caught this problem in beta, just as should be done! Bravo!
Brings some true professionalisim to an industry where companies actually ship/sell products with bugs like this all the time.
Sorry, google only allows usernames with 6 characters or more.
Please enter a longer name, or choose from the following selection:
Dodiddleyoh@gmail.com
Dangdiddleydoh@gmail.com
ArghhhhDoh@gmail.com
liqbase
The only argument for cookies is tracking a user between sessions (ie. to satisfy the evil marketing weenies). If browsers would just generate a GUID during installation and then have that be part of the HTTP stream there'd be no reason for cookies at all. Be a good idea to have some sort of trapdoor hash function to prevent browser GUID spoofing also.
Well, now, since everyone who uses GMail already lets Google read their mail, what's the difference if a few Hackers get a hold of your account? Oh sure, they could read your spam and your Slashdot subscription notices, but email is plaintext anyway! Anybody with a packet sniffer can read your email. As for sending e-mail in your name, spamers already do that now and few duffers can tell the difference.
1) Gmail plugs the hole.
2) They change the cookie validation test script in this case to require a different cookie than ones that were being given while the exploit was active.
3) When a counterfeit cookie (or any of the old cookies) tries to validate it's immediately seen as invalid, and the user is then made to login.
Of course, if someone already got at your stuff, well, that's bad.
Since I can't tell them apart, I treat all ACs as the same person.
Context ID's of course have to be validated so they're invalidated if used from an IP other then the one they were created for.
this guy has been posting all sorts of GNAA shit and fake gmail invites.. if you dont believe me just search his name
Just a handful? Check again pal. Every week or so, I get six more invites to hand out and do so diligently. I've done this many many times. I know dozens of other people who do the same. Initially, a handful of people got accounts 0- probably several thousand... then they invites six buddies (or five buddies and made a spam account for themselves). Those five or six buddies invited five or six of their own... etc. etc. etc. I don't know hard figures, but there are very likely tens if not hundreds of thousands of GMail users, possibly more.
"The object of war is not to die for your country, but to make the other bastard die for his." - Patton
We forgive you google, we wuv google, googie does no wrong, WE FORGIVE U GOOGIE!!!
No no no, they got it all backwards!
(I bet they meant liamG to be vulnerable)
Time to read our wives e-mail to see if they are cheating or something.
Free Flat Screen HERE!
Great, now get that working for dynamic IPs ...
Move Sig. For great justice.
IP's that change in the middle of a session?! Well that would suck. I've never run across that.
Wait, I have. AOL and some foreign satellite access providers but not lately- it's been a couple of years.
news to me, if I could access the damn accounts.
had to tell people to revert to my old e-mail, since invariably I cannot open it.
Crossing my fingers, these issues will be solved in beta.
Timang tinggi tinggi
parang sudah asah
alang alang mandi
biar sampai basah
No worries! Remember it is still a beta. It is not like anyone will use this for a serious purpose.
badness 10000
what's the difference if a few Hackers get a hold of your account?
,SSNs and what not (I am creative). Now if some immoral hacker got hold of that data , the poor users would be duped twice, and I would feel really bad abt it (I mean I could have got twice the money myself if I wanted). So I request Gmail to help the Nigerian revolution and our fight against AIDS and dictators and fix the bug as soon as possible.
You know its not just as simple as you think. I mean I dont care if a few hackers read my email, but what if they decide to use sensitive info in it or delete it.
I run an e-business from Nigeria and earn some money in the process. People email me their bank account numbers, creditcard numbers
Great, now get that working on a shared connection like at work where hundreds of computers have the same external IP address
I have 6 ? anybody want? send an email to peeledback ...at..@!#..punkass.com
Comment removed based on user account deletion
through..
One : Good PR
Two : "Branding"
Three : User Satisfaction
Which one GOOG use?
Timang tinggi tinggi
parang sudah asah
alang alang mandi
biar sampai basah
How would this solve this problem? So I steal your GUID... same thing!! dummmy
"We forgive you google, we wuv google, googie does no wrong, WE FORGIVE U GOOGIE!!!"
/.! Rest assured that your little darling is sorry for this collossal blunder! I will try harder next time not to expose every single bit of information that you store in me.
/.
Thanks
And thanks for not crucifying me the way you did Hotmail and others. Seriously, I appreciate all your double-standards, really I do. Now I can be just as exploit-ridden as Samba, OpenSSL, and Firefox and still know that you will always put a spin on it and somehow blame M$.
I wuv you too
Signed,
Your Googlie Woolgie
You still have to know the context ID. If you're giving your URL (with the context ID) to somebody with the same IP address as you odds are you want it to work for them anyway.
Comment removed based on user account deletion
If you've got ALL THAT INFORMATION already migrated to a BETA service that's been around for ... a handful of months, you're pretty foolish. As far as it goes, I specifically DON'T have anything particularly importang going to my gmail account for exactly this reason--it's unproven as of yet. In fact, I had a two week outage, totally unable to use my gmail box, for uknown reasons. After working with the GMail team, it got fixed, but they never told me the actual cause. Yet another reason not to trust BETA software/services with really crucial information.
And before all the 'bots claim I'm bashing google, quite the contrary. I love GMail. But it's like any other BETA product right now--still working out the kinks.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
Troll? While I didn't necisarily think the parent post would be moded up, I certainly don't think it deserved a -1! Sigh, out of my hands...I certainly didn't mean to be a troll. I do think that it is legitimate to point out that email is plaintext and that GMail accounts are, in certain ways, already compromised. Seems people are very protective about their GMail...
Not all those accounts are actually being used, though. I have a Gmail account, but only because I was curious about it. I've only logged in a couple of times, and I'll probably never actually use it for anything.
And I bet there are a lot more like me out there.
I've heard of cablemodem users whose IP's are assigned via DHCP and expire/change sometimes as often as every 30 minutes.
;-)
Actually, I've read about it here on Slashdot, so take it with a grain of salt.
No sig
The easiest fix for this one is the quick and simple Two Browser method.
For example, I use Konquerer and Mozilla (and Epiphany, but only for one specific site). Konquerer is as locked down as I can get it, resonably. Java, Javascript, Cookies, Flash, Shockwave, plugins are all disabled completely. Mozilla can use Java, Javascript, and Cookies.
---
I typically browse the web with Konquerer, and I copy 'n paste a link if I need the functionality of Mozilla, or I type the thing in myself. I'll check the page source code and find the link I need to get around home-page Flash "content" (read: shit), before I paste the link into Mozilla.
It's a simple, direct, functional way of increasing your intarweb browsing security.
Use Two Browsers.
-
is apparently available here
2004-10-29 17:01:22 Gmail is open to exploit (Your Rights Online,Security) (rejected)
Since it's public, I'll just surf on over to Gmail and get myself an account...WHAT? I CAN'T?!!!
But you said it was public!!!
I guess I'll just have to hope that somebody gives me a private invitation so that I can become a beta-tester.
Mod me down and I will become more powerful than you can possibly imagine!
http://www.cgisecurity.com/articles/xss-faq.shtml
1. toss the persistant cookies
2' use only per-session cookies
3. tag the cookie with the IP address of the user so if someone does manage to steal a cookie their IP addy wont match and raise alarms, and encrypt the IP address info so it would be useless to anyone except gmail's servers...
I think the whole economy of the Nigeria revolves around the Internet :)
Um, isn't it true that the hacker would need to be able to get the cookie off the luser's workstation first? Anybody ever heard of a client firewall?
Yeah, the authentication scheme for a web service is always integrated into the OS.
Roses are #FF0000, violets are #0000FF, all my base are belong to you
I wonder if they fixed it. My session was just expired and I had to login in again. (My latest two week session ended a couple days ago.)
Sig is on vacation
is there anyone still interested ?
Look at ICQ
almost 10 years and STILL better
Come on, how about windows? Is it beta?
Beta is no reason to produce shoddy code like that.
Online backup with Mozy, sounds like Ozzie, but more!
I was using the "don't ask my password for two weeks" feature - Gmail just logged me out although the two weeks aren't up, and after logging in again I had a session ID tacked on to the URL like this:
f in itum
http://gmail.google.com/gmail?_sgh=2f3ab242adin
which I've never seen before.
I think it'll be a long Friday night at the 'Plex.
...for Google to start hiring some computer security geeks in addition to the math geeks they've been so aggressively pursuing. Last week is was Google Toolbar that was found to be hole-ridden. This week it's gmail.
Please put your fucking "free stuff" spam in your sig, so those of us who turn sig display off to avoid having to read "free stuff" spam don't have to read it. Thank you. Also, contagious_d is a witless fucktard without the brains God gave feta cheese.
":)"
getting server errors in the login box for gmail now
Getting a server error message in place of the login box. It is going to be a long night at the 'plex as you say.
A bunch of ISPs (AOL included) by default set their user's browser to use a proxy server where each request through the proxy goes out with a random IP from a pool of IPs. It's incredibly annoying from a developer standpoint. One little work-around to this problem, though, is to only check the first two bytes of the IP address. Definitely not a foolproof solution, since it won't usually stop abuse from people on the same ISP, but it's a bit better than nothing. But then there's the matter of people using a list of anonymous proxies on different ISPs..
You gotta get out more. :)
Lots of companies are behind load-balanced proxy servers. To a server, requests for a particular session are coming from a small number of IP addresses of the proxies.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
http://shit.slashdot.org/article.pl?sid=04/10/29/1 830247
This story talks about this vulnerability in google which allows somone to replace the google page with a simple form telling the user that google is now a subscription service and asking for their credit card details. http://www.theregister.co.uk/2004/10/21/google_des ktop_security_vuln/
Is closed-source software always going to be insecure because some hacker somewhere has issues with it? I hope not - cos writing closed source software is my bread and butter.
With google's empire growing the way it is, I wonder if it is the next Microsoft? I sincerely hope not!
Hey! Keep IIS out of this!
Could you guys at least have the courtesy of deleting all of those ads for mortgage applications? I'm sick of doing it myself.
"You're never ready, just less unprepared."
I sent an email to myself @gmail welcoming any hackers who may be interested in my account!
...Had this been an actual emergency, we would have fled in terror, and you would not have been informed.
Code exploits released with MS warnings are just way to get MS to move its lazy fat ass. Talk to the people that have tried to warn MS in the past before going public. After trying for months and months knowing that if the "whitehat" hacker knew then a "blackhat" hacker might also have found out with MS doing shit or even threathening the hacker warning them the world is no longer prepared to give MS a break.
Google has still got to ruin its reputation. It was warned and is acting upon it. Whitehats don't want holes to be exploited. They want them fixed. With google it seems enough to tell that the hole is there. With MS you must release the exploit code and create a security nightmare before MS will even think of reacting.
So yes, there are different standards. Not in what whitehats want to achieve but in what they need to do to get a company to react.
So they are not the same thing. The difference being the attitude of the company that has to fix the hole.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Yes in an ideal world all browsers would be 100% safe but they are not. Cookies being stolen is sadly it seems a problem that can't be fixed. So GUARD against it. Google should know better. There are a lot of tricks you can use to make certain that a cookie is indeed from the right computer. I make my living selling that kinda knowledge and you ain't paying me so I am not gonna tell but it ain't so hard.
All it takes is a paranoid mind. With the web in the state it is in, you really can't be to paranoid when developing anything to run on the web.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
They already control your mass media. They're the only ones who have been killing fellow humans in the name of God for thousands of years and now, they come up with this. Some years ago 2 jews brought as the Friday the 13th virus for MS-DOS, now the jews strike back. It's time to get rid of the jews!
Glass
some techincal details on how to replicate the vulnerability can be found here
http://www.infoworld.com/article/04/10/29/HNgmail_ 1.html?source=rss&url=http://www.infoworld.com/art icle/04/10/29/HNgmail_1.html
Now Gmail is down. anyone got a reason?
I'm here for the experience, not the Hyperbole.