Slashdot Mirror
Gmail Accounts Vulnerable to XSS Exploit
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
The articles reveal that the basic design of the bug is to snatch the victim's cookie, and then the hacker can use that cookie to get into the account forever more. That cookie will always lead to the victim's account no matter what... even if they log out, even if they change their password, the cookie will still be valid authentication.
The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.
It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.
Never heard of XSS until now (like me)? Here is one summary one summary of what the cookie theft looks like.
To-do List: Receive telemarketing call during a tornado warning. Check.
I may be misinterpreting the story, but it sounds to me like you need more than just the username: you need to actually trick the user into giving you their GMail cookie by phishing. Obviously, this is a huge security hole and Google should fix it immediately, but it's not quite the same as the Hotmail backdoor from last year, which didn't require phishing at all. As long as you don't ever click on a link that sends you to GMail from an untrusted source, you should be safe.
Beta should be reserved for functionality, GUI, and interoperability issues.
No that is alpha. Once all the functionality is complete, the GUI has been approved, and the application can talk to the other applications it needs to, THEN the product goes into beta testing.
Beta is there to locate any bugs which made it past the alpha testers. Beta apps are considered feature complete.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
I highly disagree. When I use a product which is in "Beta" I do not expect it to meet the same level of stability/security etc. To do so is rediculous - anyone who develops software should understand why products of this kind require an extended beta period. It's definitely the best time to make last minute changes, adjustments, and to find problems like this. Finding these problems is the whole point of it being Beta in the first place. Anyone who's using this service for anything important, and then complaining about problems they have (other than as normal beta feedback) is being unreasonable!
From their Terms of Use: Their terms of service are very short, and easy to understand (not like most software agreements) and use of gmail is not only FREE, but it's entirely optional. No one's making you use it. People should not have the same level of expectation for this new service as they do of the original search engine, and if they, that's their own ignorance.
I also highly doubt that this beta period will last that much longer. GMail is becoming popular enough that the bugs and changes should be done soon.
Cheers,
Justin