Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Accounts Vulnerable to XSS Exploit

Posted by michael on from the ooooooops dept.

mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."

18 of 232 comments (clear)

  1. Oh no! by scaaven · · Score: 5, Funny

    My google stock. My poor google stock!

    --
    I know I'm going to be modded up on this
  2. Oh my god! by Zangief · · Score: 5, Funny

    Maybe some hacker will make a program to break into every gmail account, read their mail, and send them ads about what people are talking about in mails!!!

  3. sweet grapes by yahyamf · · Score: 5, Funny

    I waited so long to get a Gmail account, I don't care if it sucks now... I also like Doom3...

  4. Re:Isn't it... by moonbender · · Score: 4, Funny

    I guess they weren't kidding when they said it's still in beta...

    --
    Switch back to Slashdot's D1 system.
  5. I must do my part to help. by teamhasnoi · · Score: 5, Funny

    The first person to fix the exploit will get a FREE GMAIL INVITE!

    1. Re:I must do my part to help. by LiquidCoooled · · Score: 2, Funny

      I've already got a gmail account, can I have a free iPod instead ;)

      --
      liqbase :: faster than paper
  6. Good thing they are still in beta. by bill_kress · · Score: 5, Funny

    They caught this problem in beta, just as should be done! Bravo!

    Brings some true professionalisim to an industry where companies actually ship/sell products with bugs like this all the time.

  7. Re:doh by LiquidCoooled · · Score: 1, Funny

    Sorry, google only allows usernames with 6 characters or more.

    Please enter a longer name, or choose from the following selection:

    Dodiddleyoh@gmail.com
    Dangdiddleydoh@gmail.com
    ArghhhhDoh@gmail.com

    --
    liqbase :: faster than paper
  8. That sound you hear.... by Anonymous Coward · · Score: 1, Funny

    We forgive you google, we wuv google, googie does no wrong, WE FORGIVE U GOOGIE!!!

  9. Wives by mekanizer · · Score: 5, Funny

    Time to read our wives e-mail to see if they are cheating or something.

    1. Re:Wives by Anonymous Coward · · Score: 1, Funny
      I'm not worried about that... I keep my wife happy :P Can you say the same?
      Yes, I keep your wife happy too.
  10. Re:I got it by Anonymous Coward · · Score: 5, Funny

    Yeah, I agree. Your gmail account is the best mail I've ever used.

    - Anonymous Cookie monster

  11. Re:Now everybody,not just Google,can read your ema by iMaple · · Score: 5, Funny

    what's the difference if a few Hackers get a hold of your account?

    You know its not just as simple as you think. I mean I dont care if a few hackers read my email, but what if they decide to use sensitive info in it or delete it.

    I run an e-business from Nigeria and earn some money in the process. People email me their bank account numbers, creditcard numbers ,SSNs and what not (I am creative). Now if some immoral hacker got hold of that data , the poor users would be duped twice, and I would feel really bad abt it (I mean I could have got twice the money myself if I wanted). So I request Gmail to help the Nigerian revolution and our fight against AIDS and dictators and fix the bug as soon as possible.

  12. I wuv you too /. by Anonymous Coward · · Score: 1, Funny

    "We forgive you google, we wuv google, googie does no wrong, WE FORGIVE U GOOGIE!!!"

    Thanks /.! Rest assured that your little darling is sorry for this collossal blunder! I will try harder next time not to expose every single bit of information that you store in me.

    And thanks for not crucifying me the way you did Hotmail and others. Seriously, I appreciate all your double-standards, really I do. Now I can be just as exploit-ridden as Samba, OpenSSL, and Firefox and still know that you will always put a spin on it and somehow blame M$.

    I wuv you too /.
    Signed,
    Your Googlie Woolgie

  13. Re:Isn't it... by downbad · · Score: 2, Funny
    It will always "still" be in beta for 2 reasons. One is so they don't have any liability when things like this happen; after all they never said it was stable or secure, it's a work in progress.
    like every project on freshmeat and sourceforge. ;)
  14. Re:Need more than just the username by daft_one · · Score: 1, Funny

    Especially not all those people at my local college, who returned to find their hotmail was in Mandarin Chinese.

  15. Re:Google needs to toss its cookies... by mccrew · · Score: 2, Funny
    What I don't like about it is that it doesn't use SSL after you log in.

    ...which is important, because I want to read my mail over an encrypted link even though it travelled through several ISPs' data centers, many networks, a backbone or two, and probably even the FBI's scanners, IN THE CLEAR!!!

    --
    Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
  16. If the hackers access my account... by parliboy · · Score: 2, Funny

    Could you guys at least have the courtesy of deleting all of those ads for mortgage applications? I'm sick of doing it myself.

    --
    "You're never ready, just less unprepared."