Slashdot Mirror
Gmail Accounts Vulnerable to XSS Exploit
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
My google stock. My poor google stock!
I know I'm going to be modded up on this
just a bit irresponsible to be coming out with this before Google has had a chance to fix it?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
IMPORTANT UPDATE: Please show your support for Ceren in this poll of Geek Babes!
Is it any wonder people think Linux users are a bunch of flaming homosexuals when its fronted by obviously gay losers like these?! BSD has a mascot who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks and gorgeous babes then maybe it would be able to compete with BSD! Hell this girl should be a model!
Linux is a joke as long as it continues to lack sexy girls like her! I mean just look at this girl! Doesn't she excite you? I know this little hottie puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox. As you can see, no man can resist this sexy little minx. Don't you wish the guy in this pic was you? Are you telling me you wouldn't like to get your hands on this ass?! Wouldn't this just make your Christmas?! Yes doctor, this uber babe definitely gets my pulse racing! Oh how I envy the lucky girl in this shot! Linux has nothing that can possibly compete. Come on, you must admit she is better than an overweight penguin or a gay looking goat! Wouldn't this be more liklely to influence your choice of OS?
With sexy chicks like the lovely Ceren you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD if she told you to? Personally I know I would give my right arm to get this close to such a divine beauty!
Don't be a fag! Join the campaign for more cute open source babes today!
$Id: ceren.html,v 9.0 2004/08/01 16:01:34 ceren_rocks Exp $
Frost piss BITCHES!!!
OMFG have you seen the GMAIL 2 trailer it's like slow and it's telling you all the mail you sent in the first one then the music kicks in and and the geek comes out and gets an invite the inbox is on fire and geek is like fuck this im gonna go send an invite and HE SEND ONE TO A SPOOLER with angels singing and he lands on the spammer guys and that annoying scott richter guy is like GO GET EM TIGER! EMAIL IS ON TEH SPOKE!!!~`1 and theres less polys but rawkin bumb mappings you can view this on a special Gmail Invite that comes with a post modded down as "Troll".
The articles reveal that the basic design of the bug is to snatch the victim's cookie, and then the hacker can use that cookie to get into the account forever more. That cookie will always lead to the victim's account no matter what... even if they log out, even if they change their password, the cookie will still be valid authentication.
The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.
It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.
@gmail.com
Maybe some hacker will make a program to break into every gmail account, read their mail, and send them ads about what people are talking about in mails!!!
Israel is full of hackers, spies, and unsavory politicians.
this fucking gay ass.
dammit
Cross site scripting should not be considered a vulnerability.
I waited so long to get a Gmail account, I don't care if it sucks now... I also like Doom3...
Last time I checked Gmail was still beta with just a handful of people with accounts.
Well, to be fair, Gmail is still in 'beta'. This is the kind of thing beta is for, folks.
Okay, so a philosopher, a philologist, and a philatelist walk into a bar...
but.. isn't google the infallible poster-boy for internet success? I have a gmail account and love it - I do have the impression though that alot of the success google enjoys is due to reputation. (Their services are great, too.. but you have to get people to use them, right?). Hope they fix it before it hits the media.
So isn't the real issue that there are bugs that allow your cookie file to be exposed? Shouldn't those be considered critical security bugs regardless of what Google does?
The first person to fix the exploit will get a FREE GMAIL INVITE!
Holy $!@#)( this is bad news. Let's hope the Google people resolve this very, very quickly.. or I'm switching e-mail providers (yet again).
I am the maverick of Slashdot
Did anybody else notice when they were coming up with unique login names when they first set up their gmail account that oftentimes the "Blahblah@gmail.com is taken" message would often be some other email address somebody else was trying? I mean, if you tried "johndoe@gmail.com" and it was taken, sometimes it would respond with "joeschmoe1234@gmail.com is already taken, try again".
Never heard of XSS until now (like me)? Here is one summary one summary of what the cookie theft looks like.
To-do List: Receive telemarketing call during a tornado warning. Check.
Anybody who uses a beta product for critical email shouldn't be entirely surprised when they run into trouble...
I've been using the Gmail account for stuff I could afford to lose, since there doesn't seem to be any way to shift it in bulk to my home computer. Now I'm really glad I didn't use it for anything important.
See what I've been reading.
this is what happens when you let a major coorporation run an email system based on closed-source softwa.. [ducks]
Best FPS gaming site on the net... ok, well maybe not the best
Don't Use gmail..
Can I have that invite now?
Just joking I already have a gmail account, as a sidenote gmail is the best free email service I have used.
Real protocols like IMAP4 still secure when using proper authentication and SSL.
I may be misinterpreting the story, but it sounds to me like you need more than just the username: you need to actually trick the user into giving you their GMail cookie by phishing. Obviously, this is a huge security hole and Google should fix it immediately, but it's not quite the same as the Hotmail backdoor from last year, which didn't require phishing at all. As long as you don't ever click on a link that sends you to GMail from an untrusted source, you should be safe.
They caught this problem in beta, just as should be done! Bravo!
Brings some true professionalisim to an industry where companies actually ship/sell products with bugs like this all the time.
The only argument for cookies is tracking a user between sessions (ie. to satisfy the evil marketing weenies). If browsers would just generate a GUID during installation and then have that be part of the HTTP stream there'd be no reason for cookies at all. Be a good idea to have some sort of trapdoor hash function to prevent browser GUID spoofing also.
Well, now, since everyone who uses GMail already lets Google read their mail, what's the difference if a few Hackers get a hold of your account? Oh sure, they could read your spam and your Slashdot subscription notices, but email is plaintext anyway! Anybody with a packet sniffer can read your email. As for sending e-mail in your name, spamers already do that now and few duffers can tell the difference.
1) Gmail plugs the hole.
2) They change the cookie validation test script in this case to require a different cookie than ones that were being given while the exploit was active.
3) When a counterfeit cookie (or any of the old cookies) tries to validate it's immediately seen as invalid, and the user is then made to login.
Of course, if someone already got at your stuff, well, that's bad.
Since I can't tell them apart, I treat all ACs as the same person.
Context ID's of course have to be validated so they're invalidated if used from an IP other then the one they were created for.
this guy has been posting all sorts of GNAA shit and fake gmail invites.. if you dont believe me just search his name
We forgive you google, we wuv google, googie does no wrong, WE FORGIVE U GOOGIE!!!
No no no, they got it all backwards!
(I bet they meant liamG to be vulnerable)
The Jews are trying to hack open Google for Yahoo IMHO.
Time to read our wives e-mail to see if they are cheating or something.
Free Flat Screen HERE!
Great, now get that working for dynamic IPs ...
Move Sig. For great justice.
IP's that change in the middle of a session?! Well that would suck. I've never run across that.
Wait, I have. AOL and some foreign satellite access providers but not lately- it's been a couple of years.
news to me, if I could access the damn accounts.
had to tell people to revert to my old e-mail, since invariably I cannot open it.
Crossing my fingers, these issues will be solved in beta.
Timang tinggi tinggi
parang sudah asah
alang alang mandi
biar sampai basah
No worries! Remember it is still a beta. It is not like anyone will use this for a serious purpose.
badness 10000
what's the difference if a few Hackers get a hold of your account?
,SSNs and what not (I am creative). Now if some immoral hacker got hold of that data , the poor users would be duped twice, and I would feel really bad abt it (I mean I could have got twice the money myself if I wanted). So I request Gmail to help the Nigerian revolution and our fight against AIDS and dictators and fix the bug as soon as possible.
You know its not just as simple as you think. I mean I dont care if a few hackers read my email, but what if they decide to use sensitive info in it or delete it.
I run an e-business from Nigeria and earn some money in the process. People email me their bank account numbers, creditcard numbers
UsEr. 'Now that Simple solution
Great, now get that working on a shared connection like at work where hundreds of computers have the same external IP address
I have 6 ? anybody want? send an email to peeledback ...at..@!#..punkass.com
Comment removed based on user account deletion
through..
One : Good PR
Two : "Branding"
Three : User Satisfaction
Which one GOOG use?
Timang tinggi tinggi
parang sudah asah
alang alang mandi
biar sampai basah
How would this solve this problem? So I steal your GUID... same thing!! dummmy
"We forgive you google, we wuv google, googie does no wrong, WE FORGIVE U GOOGIE!!!"
/.! Rest assured that your little darling is sorry for this collossal blunder! I will try harder next time not to expose every single bit of information that you store in me.
/.
Thanks
And thanks for not crucifying me the way you did Hotmail and others. Seriously, I appreciate all your double-standards, really I do. Now I can be just as exploit-ridden as Samba, OpenSSL, and Firefox and still know that you will always put a spin on it and somehow blame M$.
I wuv you too
Signed,
Your Googlie Woolgie
You still have to know the context ID. If you're giving your URL (with the context ID) to somebody with the same IP address as you odds are you want it to work for them anyway.
Comment removed based on user account deletion
If you've got ALL THAT INFORMATION already migrated to a BETA service that's been around for ... a handful of months, you're pretty foolish. As far as it goes, I specifically DON'T have anything particularly importang going to my gmail account for exactly this reason--it's unproven as of yet. In fact, I had a two week outage, totally unable to use my gmail box, for uknown reasons. After working with the GMail team, it got fixed, but they never told me the actual cause. Yet another reason not to trust BETA software/services with really crucial information.
And before all the 'bots claim I'm bashing google, quite the contrary. I love GMail. But it's like any other BETA product right now--still working out the kinks.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
Troll? While I didn't necisarily think the parent post would be moded up, I certainly don't think it deserved a -1! Sigh, out of my hands...I certainly didn't mean to be a troll. I do think that it is legitimate to point out that email is plaintext and that GMail accounts are, in certain ways, already compromised. Seems people are very protective about their GMail...
According to some, GMail is using MacOS servers, so there is hope for them after all :-)
In Soviet Washington the swamp drains you.
I've heard of cablemodem users whose IP's are assigned via DHCP and expire/change sometimes as often as every 30 minutes.
;-)
Actually, I've read about it here on Slashdot, so take it with a grain of salt.
No sig
The easiest fix for this one is the quick and simple Two Browser method.
For example, I use Konquerer and Mozilla (and Epiphany, but only for one specific site). Konquerer is as locked down as I can get it, resonably. Java, Javascript, Cookies, Flash, Shockwave, plugins are all disabled completely. Mozilla can use Java, Javascript, and Cookies.
---
I typically browse the web with Konquerer, and I copy 'n paste a link if I need the functionality of Mozilla, or I type the thing in myself. I'll check the page source code and find the link I need to get around home-page Flash "content" (read: shit), before I paste the link into Mozilla.
It's a simple, direct, functional way of increasing your intarweb browsing security.
Use Two Browsers.
-
is apparently available here
2004-10-29 17:01:22 Gmail is open to exploit (Your Rights Online,Security) (rejected)
Since it's public, I'll just surf on over to Gmail and get myself an account...WHAT? I CAN'T?!!!
But you said it was public!!!
I guess I'll just have to hope that somebody gives me a private invitation so that I can become a beta-tester.
Mod me down and I will become more powerful than you can possibly imagine!
http://www.cgisecurity.com/articles/xss-faq.shtml
1. toss the persistant cookies
2' use only per-session cookies
3. tag the cookie with the IP address of the user so if someone does manage to steal a cookie their IP addy wont match and raise alarms, and encrypt the IP address info so it would be useless to anyone except gmail's servers...
I think the whole economy of the Nigeria revolves around the Internet :)
Um, isn't it true that the hacker would need to be able to get the cookie off the luser's workstation first? Anybody ever heard of a client firewall?
I wonder if they fixed it. My session was just expired and I had to login in again. (My latest two week session ended a couple days ago.)
Sig is on vacation
is there anyone still interested ?
Look at ICQ
almost 10 years and STILL better
Come on, how about windows? Is it beta?
Beta is no reason to produce shoddy code like that.
Online backup with Mozy, sounds like Ozzie, but more!
I was using the "don't ask my password for two weeks" feature - Gmail just logged me out although the two weeks aren't up, and after logging in again I had a session ID tacked on to the URL like this:
f in itum
http://gmail.google.com/gmail?_sgh=2f3ab242adin
which I've never seen before.
I think it'll be a long Friday night at the 'Plex.
...for Google to start hiring some computer security geeks in addition to the math geeks they've been so aggressively pursuing. Last week is was Google Toolbar that was found to be hole-ridden. This week it's gmail.
Please put your fucking "free stuff" spam in your sig, so those of us who turn sig display off to avoid having to read "free stuff" spam don't have to read it. Thank you. Also, contagious_d is a witless fucktard without the brains God gave feta cheese.
":)"
getting server errors in the login box for gmail now
Getting a server error message in place of the login box. It is going to be a long night at the 'plex as you say.
A bunch of ISPs (AOL included) by default set their user's browser to use a proxy server where each request through the proxy goes out with a random IP from a pool of IPs. It's incredibly annoying from a developer standpoint. One little work-around to this problem, though, is to only check the first two bytes of the IP address. Definitely not a foolproof solution, since it won't usually stop abuse from people on the same ISP, but it's a bit better than nothing. But then there's the matter of people using a list of anonymous proxies on different ISPs..
You gotta get out more. :)
Lots of companies are behind load-balanced proxy servers. To a server, requests for a particular session are coming from a small number of IP addresses of the proxies.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
http://shit.slashdot.org/article.pl?sid=04/10/29/1 830247
This story talks about this vulnerability in google which allows somone to replace the google page with a simple form telling the user that google is now a subscription service and asking for their credit card details. http://www.theregister.co.uk/2004/10/21/google_des ktop_security_vuln/
Is closed-source software always going to be insecure because some hacker somewhere has issues with it? I hope not - cos writing closed source software is my bread and butter.
With google's empire growing the way it is, I wonder if it is the next Microsoft? I sincerely hope not!
Could you guys at least have the courtesy of deleting all of those ads for mortgage applications? I'm sick of doing it myself.
"You're never ready, just less unprepared."
I sent an email to myself @gmail welcoming any hackers who may be interested in my account!
...Had this been an actual emergency, we would have fled in terror, and you would not have been informed.
Code exploits released with MS warnings are just way to get MS to move its lazy fat ass. Talk to the people that have tried to warn MS in the past before going public. After trying for months and months knowing that if the "whitehat" hacker knew then a "blackhat" hacker might also have found out with MS doing shit or even threathening the hacker warning them the world is no longer prepared to give MS a break.
Google has still got to ruin its reputation. It was warned and is acting upon it. Whitehats don't want holes to be exploited. They want them fixed. With google it seems enough to tell that the hole is there. With MS you must release the exploit code and create a security nightmare before MS will even think of reacting.
So yes, there are different standards. Not in what whitehats want to achieve but in what they need to do to get a company to react.
So they are not the same thing. The difference being the attitude of the company that has to fix the hole.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Yes in an ideal world all browsers would be 100% safe but they are not. Cookies being stolen is sadly it seems a problem that can't be fixed. So GUARD against it. Google should know better. There are a lot of tricks you can use to make certain that a cookie is indeed from the right computer. I make my living selling that kinda knowledge and you ain't paying me so I am not gonna tell but it ain't so hard.
All it takes is a paranoid mind. With the web in the state it is in, you really can't be to paranoid when developing anything to run on the web.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
They already control your mass media. They're the only ones who have been killing fellow humans in the name of God for thousands of years and now, they come up with this. Some years ago 2 jews brought as the Friday the 13th virus for MS-DOS, now the jews strike back. It's time to get rid of the jews!
Glass
some techincal details on how to replicate the vulnerability can be found here
http://www.infoworld.com/article/04/10/29/HNgmail_ 1.html?source=rss&url=http://www.infoworld.com/art icle/04/10/29/HNgmail_1.html
Now Gmail is down. anyone got a reason?
I'm here for the experience, not the Hyperbole.