Slashdot Mirror
Gmail Accounts Vulnerable to XSS Exploit
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
just a bit irresponsible to be coming out with this before Google has had a chance to fix it?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Like when we started treating e-mail as a file transfer protocol, or when documents began to contain executable content, XSS gives an avenue of attack by adding a new and unrequested behavior to something that used to be secure. We need to reduce these channels of exploitation if computers are going to become secure -- especially as we head towards a homogenized environment on the Internet with regards to executable code (.NET/Java).
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.
1) Gmail plugs the hole.
2) They change the cookie validation test script in this case to require a different cookie than ones that were being given while the exploit was active.
3) When a counterfeit cookie (or any of the old cookies) tries to validate it's immediately seen as invalid, and the user is then made to login.
Of course, if someone already got at your stuff, well, that's bad.
Since I can't tell them apart, I treat all ACs as the same person.
They can call it beta all they want, but they obviously want people to use it as their primary e-mail account now. Just because they call it beta, doesn't exempt them from responsibility when they put their product out on the open market.
No worries! Remember it is still a beta. It is not like anyone will use this for a serious purpose.
badness 10000
Does she go out drinking with this same "friend" 2-3 times per night? Every week? Often drinking at fetish clubs or going to swinging events, again with this same "friend"?
Those are much easier signs to look for than snooping through e-mail :-)
If you've got ALL THAT INFORMATION already migrated to a BETA service that's been around for ... a handful of months, you're pretty foolish. As far as it goes, I specifically DON'T have anything particularly importang going to my gmail account for exactly this reason--it's unproven as of yet. In fact, I had a two week outage, totally unable to use my gmail box, for uknown reasons. After working with the GMail team, it got fixed, but they never told me the actual cause. Yet another reason not to trust BETA software/services with really crucial information.
And before all the 'bots claim I'm bashing google, quite the contrary. I love GMail. But it's like any other BETA product right now--still working out the kinks.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
Troll? While I didn't necisarily think the parent post would be moded up, I certainly don't think it deserved a -1! Sigh, out of my hands...I certainly didn't mean to be a troll. I do think that it is legitimate to point out that email is plaintext and that GMail accounts are, in certain ways, already compromised. Seems people are very protective about their GMail...
Free Flat Screen HERE!
Please put your fucking "free stuff" spam in your sig, so those of us who turn sig display off to avoid having to read "free stuff" spam don't have to read it. Thank you.
Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.
Agreed, maybe Google is laurel resting in the wake of the IPO.
Do you remember web searching prior-Google? I used to take pride in knowing the Hotbot and AltaVista switches (and nand not) but Google's 1998 blew all that away. That level of knowledge was no longer necessary. There's probably a lesson in there somewhere.
XSS was highlighted because that's easiest way to steal the cookie without physical access to the machine which the victim uses.(correct me if i'm wrong).XSS makes it extremely easy for an attcker to social engineer a user into divulging his cookie, using a malformed hyper link in a mail. Though GMail was initially limited to computer savvy people it has now percolated to the masses.As the spread of recent viruses have shown social engineering normal users is trivial.
TechSutra
This technique has been in use at several moderate (> 50k users/mo) traffic sites I've worked on with no problems and no complaints for several years. And, state control is completely server side.
If you like cookies, off you go. I'll choose the more secure solution for now.
you need to actually trick the user into giving you their GMail cookie by phishing. ...or by grabbing the cookies left behind by previous users off a public terminal.
But that's a minor concern, no one ever uses a public computing terminal to check webmail, or walks away without logging out properly.
Care to explain what marketing plan for Gmail you've seen? So far, Google has issued a couple of press releases - announcing its intention to offer email services, etc - but nothing more than that, and it's made it repeatedly clear that the service is in beta.
Have you ever seen more than that? Have you seen any advertising (banner or otherwise) for the service? Just how do you contend that Google is marketing it?
And how the hell are you defining "fairly widespread use"? Just how many Gmail accounts do you think there are? 100,000? A million? Well, in comparison, how many Microsoft Hotmail or Yahoo Mail accounts do you think there are out there? I'd be surprised if Gmail had even a hundredth of the user base that its key competitors possess.
Gmail is in beta. Until they say it's not in beta please accept that nothing should be taken for granted. And the fact is that even "shipped" products aren't error free, so either learn to accept that things sometimes go wrong with software or just stop using a PC altogether.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
It's really iffy design.
The hash or whatever that validates the cookie's authenticity should have the IP address and expiry time (from the servers point of view) embedded in it. Why this isn't part of some standard library for a software house like Google makes me wonder...
My immediate concern is the fskers who live in my apartment complex. We use a shared internet connection (300 of us on a dual T-1, ouch) for the entire complex. Now, I can't be the only person who knows that an un-administered network (no kidding) will be rife with people screwing around.
I know that my email travels through routers and ISPs in the clear, but they probably don't know me personally. I'm more worried about my roommates sniffing the traffic coming from my computer to the gateway and reading my email. Or the shithead upstairs who I've called the cops on. You get my point.
Important stuff, duh you've got to be encrypting it from sender-to-receiver. Semi-private stuff, I'd at least like to know my neighbors aren't reading. https://gmail.google.com/gmail is very helpful to me for that purpose. Thanks for pointing that out.
As the reporter of the first bug reported in the register article, I certainly didn't go looking for it because of google, it was trivial to find, I found it 2 1/2 years ago (you can see a usenet post from 2002 which describes it, when XSS into google didn't matter much, phishing was new, and google had no data)
The reason we're getting this deluge of security flaws in google now is simply because people are now looking, they're easy to find, the XSS flaws are trivial (like ignoring you're encode user input before writing it into the page)
The issues are Googles lack of QA and security testing - do you think it's reasonable to release an HTML product which searhed personal data on peoples machines without having a test which provided some javascript as the search term? I think the failure to do that is incompetence of a level that makes MS's old security look good.
Yes, Google have fixed the flaws quickly, that's because the flaws are trivially easy to fix - html encoding a string isn't hard, even in python.