Slashdot Mirror
Gmail Accounts Vulnerable to XSS Exploit
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
The articles reveal that the basic design of the bug is to snatch the victim's cookie, and then the hacker can use that cookie to get into the account forever more. That cookie will always lead to the victim's account no matter what... even if they log out, even if they change their password, the cookie will still be valid authentication.
The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.
It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.
Some might agree... others would say that if that was the case, Microsoft (and others) would never fix security holes if they are not known.
Help Brendan pay off his student loans
Never heard of XSS until now (like me)? Here is one summary one summary of what the cookie theft looks like.
To-do List: Receive telemarketing call during a tornado warning. Check.
Some might agree... others would say that if that was the case, Microsoft (and others) would never fix security holes if they are not known.
Yes - but the key is that you should give the company in question enough time to be able to get a fix out before releasing the issue to the public. I haven't been able to RTFA however unless Google have not taken any action after a reasonable timeframe (say a week) posting the issue on slashdot is not going to solve the problem any faster, and hence is just making more kiddies aware of this.
Keeping an issue you discovered 'secret' for a reasonable timeframe is the much more sensible option, you only need to go public if the issue is not fixed promptly.
I may be misinterpreting the story, but it sounds to me like you need more than just the username: you need to actually trick the user into giving you their GMail cookie by phishing. Obviously, this is a huge security hole and Google should fix it immediately, but it's not quite the same as the Hotmail backdoor from last year, which didn't require phishing at all. As long as you don't ever click on a link that sends you to GMail from an untrusted source, you should be safe.
Beta should be reserved for functionality, GUI, and interoperability issues.
No that is alpha. Once all the functionality is complete, the GUI has been approved, and the application can talk to the other applications it needs to, THEN the product goes into beta testing.
Beta is there to locate any bugs which made it past the alpha testers. Beta apps are considered feature complete.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Comment removed based on user account deletion
it is because of this bug:
s closure/2004-07/msg00197.html
http://www.networksecurityarchive.org/html/FullDi
I highly disagree. When I use a product which is in "Beta" I do not expect it to meet the same level of stability/security etc. To do so is rediculous - anyone who develops software should understand why products of this kind require an extended beta period. It's definitely the best time to make last minute changes, adjustments, and to find problems like this. Finding these problems is the whole point of it being Beta in the first place. Anyone who's using this service for anything important, and then complaining about problems they have (other than as normal beta feedback) is being unreasonable!
From their Terms of Use: Their terms of service are very short, and easy to understand (not like most software agreements) and use of gmail is not only FREE, but it's entirely optional. No one's making you use it. People should not have the same level of expectation for this new service as they do of the original search engine, and if they, that's their own ignorance.
I also highly doubt that this beta period will last that much longer. GMail is becoming popular enough that the bugs and changes should be done soon.
Cheers,
Justin
That was mine, that one has since been fixed http://jibbering.com/2004/10/google.html -I know of a couple of others though which have yet to go public.
I agree it's googles responsibility, and some of the flaws that are th ere aren't the bugs of people who understand the issues - one of the google desktop bugs is because a search for <script>alert(1)</script> is written straight into the source of the document unencoded!
That's not a bug of developers who know what they're doing, or have good security procedures in place. I think they need a lot of publicity so like MS can start getting a real culture of security in.
You gotta get out more. :)
Lots of companies are behind load-balanced proxy servers. To a server, requests for a particular session are coming from a small number of IP addresses of the proxies.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.