Slashdot Mirror


Gmail Accounts Vulnerable to XSS Exploit

mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."

6 of 232 comments (clear)

  1. Re:Down with Israel by lemonjus · · Score: -1, Troll

    You suck

  2. cookies are the root of all evil by psbrogna · · Score: 0, Troll
    I've always been opposed to cookies. There's practically no reason why state control should be put on the client side. It's virtually impossible to secure a site that exposes variables client side. Anything you can do with a cookie can be done with a GUID context ID paired w/server side variable store.

    The only argument for cookies is tracking a user between sessions (ie. to satisfy the evil marketing weenies). If browsers would just generate a GUID during installation and then have that be part of the HTTP stream there'd be no reason for cookies at all. Be a good idea to have some sort of trapdoor hash function to prevent browser GUID spoofing also.

  3. Now everybody,not just Google,can read your email! by VidEdit · · Score: 0, Troll

    Well, now, since everyone who uses GMail already lets Google read their mail, what's the difference if a few Hackers get a hold of your account? Oh sure, they could read your spam and your Slashdot subscription notices, but email is plaintext anyway! Anybody with a packet sniffer can read your email. As for sending e-mail in your name, spamers already do that now and few duffers can tell the difference.

    --
  4. Israeli hackers? by Anonymous Coward · · Score: -1, Troll

    The Jews are trying to hack open Google for Yahoo IMHO.

  5. Hmmm.... by spicy+salsa · · Score: 0, Troll
    I actually think the Hotmail backdoor was fairly similar to this (you used a login form on a site other then Hotmail.com and you did not have to enter a password).

    Free Flat Screen HERE!

  6. Re:Isn't it... by Anonymous Coward · · Score: -1, Troll

    Google don't have an effective policy for reporting bugs, you can email security@google.com all you want, but they do not answer, we've had repeated recent exploits from Google. It took me over 2 1/2 years to get google to acknowledge their flaw, and that happened only after I went public - and

    Google have serious security problems, there's still a number of other XSS security flaws there, and they're so obvious no newbie web scripter would make the mistake.