Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Accounts Vulnerable to XSS Exploit

Posted by michael on from the ooooooops dept.

mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."

6 of 232 comments (clear)

  1. Danger, Will Robinson by d_jedi · · Score: 0, Redundant

    Holy $!@#)( this is bad news. Let's hope the Google people resolve this very, very quickly.. or I'm switching e-mail providers (yet again).

    --
    I am the maverick of Slashdot
  2. it IS a beta... by jathan88 · · Score: 1, Redundant
    As the article points out, it's a good thing that this was found before Gmail went into "official" release. I think it's great that Google *admits* that the product is still in beta, instead of releasing it as is and pretending that it's a polished product.

    Anybody who uses a beta product for critical email shouldn't be entirely surprised when they run into trouble...

  3. Re:Google needs to toss its cookies... by arunkv · · Score: 0, Redundant
    What I don't like about it is that it doesn't use SSL after you log in.

    That's not true. You can use SSL all throughout. Simply start at https://gmail.google.com/gmail or even just manually change it to https after login.

  4. Re:Google needs to toss its cookies... by Ryan_Singer · · Score: 0, Redundant

    If you goto https://gmail.google.com/ it will stay SSL throughout the session.

    --
    Ryan Singer
  5. Re:Google needs to toss its cookies... by Hen3ry · · Score: 0, Redundant

    Well, it certain can use SSL after you log in. Just start with: https://gmail.google.com

    --
    ...both ears and the tail.
  6. Re:Isn't it... by JibberJim · · Score: 0, Redundant

    That was mine, that one has since been fixed http://jibbering.com/2004/10/google.html-Iknowofac oupleofothersthoughwhichhaveyettogopublic.Iagreeit 'sgooglesresponsibility,andsomeoftheflawsthatareth erearen'tthebugsofpeoplewhounderstandtheissues-one ofthegoogledesktopbugsisbecauseasearchforalert(1) is written straight into the source of the document unencoded! That's not a bug of developers who know what they're doing, or have good security procedures in place. I think they need a lot of publicity so like MS can start getting a real culture of security in.