Gmail Accounts Vulnerable to XSS Exploit
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
No. Certainly not. People should be made aware of security issues. Especially for free services like this, where people have no guarantee they will ever be addressed.
Its not like a local exploit where we can stop using it, or update ourselves.
This SHOULD get maximum exposure. Maybe then the heads in google will jump on this with all their PHDs.
As for not fixing it, I doubt thats an option. Such a monumental failure so start in their public offering will be devistating to them.
liqbase
Yes and no.
Yes - Google should have the opportunity to fix this appropriately, not racing against the slew of hackers, crackers, and script kiddies that want to exploit it.
No - People should aware of security risks in the software, hardware, etc. that they use and upon which they rely.
Personally, I prefer to inform the company of vulnerabilities and offer to help fix them. It's helped me land clients and discredit competitors.
Like when we started treating e-mail as a file transfer protocol, or when documents began to contain executable content, XSS gives an avenue of attack by adding a new and unrequested behavior to something that used to be secure. We need to reduce these channels of exploitation if computers are going to become secure -- especially as we head towards a homogenized environment on the Internet with regards to executable code (.NET/Java).
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.
1) Gmail plugs the hole.
2) They change the cookie validation test script in this case to require a different cookie than ones that were being given while the exploit was active.
3) When a counterfeit cookie (or any of the old cookies) tries to validate it's immediately seen as invalid, and the user is then made to login.
Of course, if someone already got at your stuff, well, that's bad.
Since I can't tell them apart, I treat all ACs as the same person.
No worries! Remember it is still a beta. It is not like anyone will use this for a serious purpose.
badness 10000
you need to actually trick the user into giving you their GMail cookie by phishing. ...or by grabbing the cookies left behind by previous users off a public terminal.
But that's a minor concern, no one ever uses a public computing terminal to check webmail, or walks away without logging out properly.
Care to explain what marketing plan for Gmail you've seen? So far, Google has issued a couple of press releases - announcing its intention to offer email services, etc - but nothing more than that, and it's made it repeatedly clear that the service is in beta.
Have you ever seen more than that? Have you seen any advertising (banner or otherwise) for the service? Just how do you contend that Google is marketing it?
And how the hell are you defining "fairly widespread use"? Just how many Gmail accounts do you think there are? 100,000? A million? Well, in comparison, how many Microsoft Hotmail or Yahoo Mail accounts do you think there are out there? I'd be surprised if Gmail had even a hundredth of the user base that its key competitors possess.
Gmail is in beta. Until they say it's not in beta please accept that nothing should be taken for granted. And the fact is that even "shipped" products aren't error free, so either learn to accept that things sometimes go wrong with software or just stop using a PC altogether.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg