Slashdot Mirror
Gmail Accounts Vulnerable to XSS Exploit
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
My google stock. My poor google stock!
I know I'm going to be modded up on this
just a bit irresponsible to be coming out with this before Google has had a chance to fix it?
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
The articles reveal that the basic design of the bug is to snatch the victim's cookie, and then the hacker can use that cookie to get into the account forever more. That cookie will always lead to the victim's account no matter what... even if they log out, even if they change their password, the cookie will still be valid authentication.
The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.
It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.
Maybe some hacker will make a program to break into every gmail account, read their mail, and send them ads about what people are talking about in mails!!!
I waited so long to get a Gmail account, I don't care if it sucks now... I also like Doom3...
The first person to fix the exploit will get a FREE GMAIL INVITE!
Did anybody else notice when they were coming up with unique login names when they first set up their gmail account that oftentimes the "Blahblah@gmail.com is taken" message would often be some other email address somebody else was trying? I mean, if you tried "johndoe@gmail.com" and it was taken, sometimes it would respond with "joeschmoe1234@gmail.com is already taken, try again".
Never heard of XSS until now (like me)? Here is one summary one summary of what the cookie theft looks like.
To-do List: Receive telemarketing call during a tornado warning. Check.
Like when we started treating e-mail as a file transfer protocol, or when documents began to contain executable content, XSS gives an avenue of attack by adding a new and unrequested behavior to something that used to be secure. We need to reduce these channels of exploitation if computers are going to become secure -- especially as we head towards a homogenized environment on the Internet with regards to executable code (.NET/Java).
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
I may be misinterpreting the story, but it sounds to me like you need more than just the username: you need to actually trick the user into giving you their GMail cookie by phishing. Obviously, this is a huge security hole and Google should fix it immediately, but it's not quite the same as the Hotmail backdoor from last year, which didn't require phishing at all. As long as you don't ever click on a link that sends you to GMail from an untrusted source, you should be safe.
They caught this problem in beta, just as should be done! Bravo!
Brings some true professionalisim to an industry where companies actually ship/sell products with bugs like this all the time.
XSS is not the real problem here. The real problem is that the cookie can be used to authenticate an account. If you get a copy of the cookie and take it to another machine, you could log on using that cookie, even after the cookie has expired. This is a poor design, and XSS is just one way to exploit this. Another would be to simply copy Mozilla's cookies.txt file, or whatever browser you use. Or to sniff out the cookie over the network and use it from then on.
"No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.
1) Gmail plugs the hole.
2) They change the cookie validation test script in this case to require a different cookie than ones that were being given while the exploit was active.
3) When a counterfeit cookie (or any of the old cookies) tries to validate it's immediately seen as invalid, and the user is then made to login.
Of course, if someone already got at your stuff, well, that's bad.
Since I can't tell them apart, I treat all ACs as the same person.
Time to read our wives e-mail to see if they are cheating or something.
Yeah, I agree. Your gmail account is the best mail I've ever used.
- Anonymous Cookie monster
news to me, if I could access the damn accounts.
had to tell people to revert to my old e-mail, since invariably I cannot open it.
Crossing my fingers, these issues will be solved in beta.
Timang tinggi tinggi
parang sudah asah
alang alang mandi
biar sampai basah
No worries! Remember it is still a beta. It is not like anyone will use this for a serious purpose.
badness 10000
what's the difference if a few Hackers get a hold of your account?
,SSNs and what not (I am creative). Now if some immoral hacker got hold of that data , the poor users would be duped twice, and I would feel really bad abt it (I mean I could have got twice the money myself if I wanted). So I request Gmail to help the Nigerian revolution and our fight against AIDS and dictators and fix the bug as soon as possible.
You know its not just as simple as you think. I mean I dont care if a few hackers read my email, but what if they decide to use sensitive info in it or delete it.
I run an e-business from Nigeria and earn some money in the process. People email me their bank account numbers, creditcard numbers
Beta should be reserved for functionality, GUI, and interoperability issues.
No that is alpha. Once all the functionality is complete, the GUI has been approved, and the application can talk to the other applications it needs to, THEN the product goes into beta testing.
Beta is there to locate any bugs which made it past the alpha testers. Beta apps are considered feature complete.
- - - - - - - - - - -
I am a programmer. I am paid to produce syntax not grammar. Deal with it.
Comment removed based on user account deletion
If you've got ALL THAT INFORMATION already migrated to a BETA service that's been around for ... a handful of months, you're pretty foolish. As far as it goes, I specifically DON'T have anything particularly importang going to my gmail account for exactly this reason--it's unproven as of yet. In fact, I had a two week outage, totally unable to use my gmail box, for uknown reasons. After working with the GMail team, it got fixed, but they never told me the actual cause. Yet another reason not to trust BETA software/services with really crucial information.
And before all the 'bots claim I'm bashing google, quite the contrary. I love GMail. But it's like any other BETA product right now--still working out the kinks.
7 November 2006: The day Americans realized corruption and incompetence weren't addressing 11 September 2001
Troll? While I didn't necisarily think the parent post would be moded up, I certainly don't think it deserved a -1! Sigh, out of my hands...I certainly didn't mean to be a troll. I do think that it is legitimate to point out that email is plaintext and that GMail accounts are, in certain ways, already compromised. Seems people are very protective about their GMail...
Free Flat Screen HERE!
Please put your fucking "free stuff" spam in your sig, so those of us who turn sig display off to avoid having to read "free stuff" spam don't have to read it. Thank you.
Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.
Agreed, maybe Google is laurel resting in the wake of the IPO.
Do you remember web searching prior-Google? I used to take pride in knowing the Hotbot and AltaVista switches (and nand not) but Google's 1998 blew all that away. That level of knowledge was no longer necessary. There's probably a lesson in there somewhere.
XSS was highlighted because that's easiest way to steal the cookie without physical access to the machine which the victim uses.(correct me if i'm wrong).XSS makes it extremely easy for an attcker to social engineer a user into divulging his cookie, using a malformed hyper link in a mail. Though GMail was initially limited to computer savvy people it has now percolated to the masses.As the spread of recent viruses have shown social engineering normal users is trivial.
TechSutra
This technique has been in use at several moderate (> 50k users/mo) traffic sites I've worked on with no problems and no complaints for several years. And, state control is completely server side.
If you like cookies, off you go. I'll choose the more secure solution for now.
Care to explain what marketing plan for Gmail you've seen? So far, Google has issued a couple of press releases - announcing its intention to offer email services, etc - but nothing more than that, and it's made it repeatedly clear that the service is in beta.
Have you ever seen more than that? Have you seen any advertising (banner or otherwise) for the service? Just how do you contend that Google is marketing it?
And how the hell are you defining "fairly widespread use"? Just how many Gmail accounts do you think there are? 100,000? A million? Well, in comparison, how many Microsoft Hotmail or Yahoo Mail accounts do you think there are out there? I'd be surprised if Gmail had even a hundredth of the user base that its key competitors possess.
Gmail is in beta. Until they say it's not in beta please accept that nothing should be taken for granted. And the fact is that even "shipped" products aren't error free, so either learn to accept that things sometimes go wrong with software or just stop using a PC altogether.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
> Cookies compromise privacy in the same way,
No. Cookies are not the same across sites. Since each site comes up with its own cookie encoding scheme, data sharing becomes difficult (barring schemes like Passport: one reason why Passport in its original form was so creepy). Today, with fine-grained cookie managers (Moz, Opera) you can browse the web pretty privately, at least wrt cookies.
Incidentally, Real once got a lot of flak for incorporating just this feature into Realplayer, all the privacy arguments made then are true now as well.
Classic cookies are supposed to be opaque keys, but in reality people do use them for storing nonsensitive information, like stylesheet info. Your proposal would increase the hassle these people have to go through.
> but also can give the client state control if not used properly
rm if not used properly can hose your $HOME. A backup script used by a technician at your ISP used improperly can hose your Maildir. Doesn't mean rm or backup scripts are bad.
Btw, if you don't like client-side state, I suggest you get prepared for more unpleasantness: I'm predicting in 2-3 years we'll see the first browsers with more sophisticated client state management that'd allow browsers to work with websites (even app-centric websites like Gmail and Flickr) offline.
Go somewhere random
I highly disagree. When I use a product which is in "Beta" I do not expect it to meet the same level of stability/security etc. To do so is rediculous - anyone who develops software should understand why products of this kind require an extended beta period. It's definitely the best time to make last minute changes, adjustments, and to find problems like this. Finding these problems is the whole point of it being Beta in the first place. Anyone who's using this service for anything important, and then complaining about problems they have (other than as normal beta feedback) is being unreasonable!
From their Terms of Use: Their terms of service are very short, and easy to understand (not like most software agreements) and use of gmail is not only FREE, but it's entirely optional. No one's making you use it. People should not have the same level of expectation for this new service as they do of the original search engine, and if they, that's their own ignorance.
I also highly doubt that this beta period will last that much longer. GMail is becoming popular enough that the bugs and changes should be done soon.
Cheers,
Justin
I wonder if they fixed it. My session was just expired and I had to login in again. (My latest two week session ended a couple days ago.)
Sig is on vacation
I was using the "don't ask my password for two weeks" feature - Gmail just logged me out although the two weeks aren't up, and after logging in again I had a session ID tacked on to the URL like this:
f in itum
http://gmail.google.com/gmail?_sgh=2f3ab242adin
which I've never seen before.
I think it'll be a long Friday night at the 'Plex.
You gotta get out more. :)
Lots of companies are behind load-balanced proxy servers. To a server, requests for a particular session are coming from a small number of IP addresses of the proxies.
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
This story talks about this vulnerability in google which allows somone to replace the google page with a simple form telling the user that google is now a subscription service and asking for their credit card details. http://www.theregister.co.uk/2004/10/21/google_des ktop_security_vuln/
Is closed-source software always going to be insecure because some hacker somewhere has issues with it? I hope not - cos writing closed source software is my bread and butter.
With google's empire growing the way it is, I wonder if it is the next Microsoft? I sincerely hope not!
Could you guys at least have the courtesy of deleting all of those ads for mortgage applications? I'm sick of doing it myself.
"You're never ready, just less unprepared."