Gmail Accounts Vulnerable to XSS Exploit
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
No. Certainly not. People should be made aware of security issues. Especially for free services like this, where people have no guarantee they will ever be addressed.
Its not like a local exploit where we can stop using it, or update ourselves.
This SHOULD get maximum exposure. Maybe then the heads in google will jump on this with all their PHDs.
As for not fixing it, I doubt thats an option. Such a monumental failure so start in their public offering will be devistating to them.
liqbase
Yes and no.
Yes - Google should have the opportunity to fix this appropriately, not racing against the slew of hackers, crackers, and script kiddies that want to exploit it.
No - People should aware of security risks in the software, hardware, etc. that they use and upon which they rely.
Personally, I prefer to inform the company of vulnerabilities and offer to help fix them. It's helped me land clients and discredit competitors.
Like when we started treating e-mail as a file transfer protocol, or when documents began to contain executable content, XSS gives an avenue of attack by adding a new and unrequested behavior to something that used to be secure. We need to reduce these channels of exploitation if computers are going to become secure -- especially as we head towards a homogenized environment on the Internet with regards to executable code (.NET/Java).
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.
1) Gmail plugs the hole.
2) They change the cookie validation test script in this case to require a different cookie than ones that were being given while the exploit was active.
3) When a counterfeit cookie (or any of the old cookies) tries to validate it's immediately seen as invalid, and the user is then made to login.
Of course, if someone already got at your stuff, well, that's bad.
Since I can't tell them apart, I treat all ACs as the same person.
No worries! Remember it is still a beta. It is not like anyone will use this for a serious purpose.
badness 10000
you need to actually trick the user into giving you their GMail cookie by phishing. ...or by grabbing the cookies left behind by previous users off a public terminal.
But that's a minor concern, no one ever uses a public computing terminal to check webmail, or walks away without logging out properly.
Care to explain what marketing plan for Gmail you've seen? So far, Google has issued a couple of press releases - announcing its intention to offer email services, etc - but nothing more than that, and it's made it repeatedly clear that the service is in beta.
Have you ever seen more than that? Have you seen any advertising (banner or otherwise) for the service? Just how do you contend that Google is marketing it?
And how the hell are you defining "fairly widespread use"? Just how many Gmail accounts do you think there are? 100,000? A million? Well, in comparison, how many Microsoft Hotmail or Yahoo Mail accounts do you think there are out there? I'd be surprised if Gmail had even a hundredth of the user base that its key competitors possess.
Gmail is in beta. Until they say it's not in beta please accept that nothing should be taken for granted. And the fact is that even "shipped" products aren't error free, so either learn to accept that things sometimes go wrong with software or just stop using a PC altogether.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
As the reporter of the first bug reported in the register article, I certainly didn't go looking for it because of google, it was trivial to find, I found it 2 1/2 years ago (you can see a usenet post from 2002 which describes it, when XSS into google didn't matter much, phishing was new, and google had no data)
The reason we're getting this deluge of security flaws in google now is simply because people are now looking, they're easy to find, the XSS flaws are trivial (like ignoring you're encode user input before writing it into the page)
The issues are Googles lack of QA and security testing - do you think it's reasonable to release an HTML product which searhed personal data on peoples machines without having a test which provided some javascript as the search term? I think the failure to do that is incompetence of a level that makes MS's old security look good.
Yes, Google have fixed the flaws quickly, that's because the flaws are trivially easy to fix - html encoding a string isn't hard, even in python.