Gmail Accounts Vulnerable to XSS Exploit
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
You suck
The only argument for cookies is tracking a user between sessions (ie. to satisfy the evil marketing weenies). If browsers would just generate a GUID during installation and then have that be part of the HTTP stream there'd be no reason for cookies at all. Be a good idea to have some sort of trapdoor hash function to prevent browser GUID spoofing also.
Well, now, since everyone who uses GMail already lets Google read their mail, what's the difference if a few Hackers get a hold of your account? Oh sure, they could read your spam and your Slashdot subscription notices, but email is plaintext anyway! Anybody with a packet sniffer can read your email. As for sending e-mail in your name, spamers already do that now and few duffers can tell the difference.
The Jews are trying to hack open Google for Yahoo IMHO.
Free Flat Screen HERE!
Google don't have an effective policy for reporting bugs, you can email security@google.com all you want, but they do not answer, we've had repeated recent exploits from Google. It took me over 2 1/2 years to get google to acknowledge their flaw, and that happened only after I went public - and
Google have serious security problems, there's still a number of other XSS security flaws there, and they're so obvious no newbie web scripter would make the mistake.