Gmail Accounts Vulnerable to XSS Exploit

mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."

cookies are the root of all evil

[psbrogna]

I've always been opposed to cookies. There's practically no reason why state control should be put on the client side. It's virtually impossible to secure a site that exposes variables client side. Anything you can do with a cookie can be done with a GUID context ID paired w/server side variable store.

The only argument for cookies is tracking a user between sessions (ie. to satisfy the evil marketing weenies). If browsers would just generate a GUID during installation and then have that be part of the HTTP stream there'd be no reason for cookies at all. Be a good idea to have some sort of trapdoor hash function to prevent browser GUID spoofing also.

Now everybody,not just Google,can read your email!

[VidEdit]

Well, now, since everyone who uses GMail already lets Google read their mail, what's the difference if a few Hackers get a hold of your account? Oh sure, they could read your spam and your Slashdot subscription notices, but email is plaintext anyway! Anybody with a packet sniffer can read your email. As for sending e-mail in your name, spamers already do that now and few duffers can tell the difference.

Hmmm....

[spicy+salsa]

I actually think the Hotmail backdoor was fairly similar to this (you used a login form on a site other then Hotmail.com and you did not have to enter a password).

Free Flat Screen HERE!