Slashdot Mirror
Gmail Messages Are Vulnerable To Interception
Michael Wally writes "GMail messages are vulnerable to interception. An attacker has only to transmit malformed test messages to himself, and information left over in memory, from previous messages destined for other people, will appear with the test messages, in the attacker's inbox. Sometimes, this information may include usernames and passwords... Do you use GMail? Are your communications private? Should they be? Well, here's what we figured out about the issue, that may or may not help you - or perhaps GMail, if anyone can get ahold of their developers, to tell them about it." Update: 01/12 22:21 GMT by T : Good news for Gmail users; those malformed messages are no longer being accepted; read below for a message from Chris DiBona.
chrisd writes "Just so you know, at 10:15am PST mails with the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous emails that had this problem will also no longer will be accessible. If you don't mind, I'd like to take the time to remind Slashdot readers that they can send bugs that may have a security aspect into security@google.com. If they like, they should feel free to cc me at cdibona@google.com. We appreciate your patience and we're sorry about the bug."
Did any of this "left over" information happen to be spurious commas?
Is it just me or do you find it strange that in the list of known Gmail bugs, there is no catagory for Security? I'm trying to find out if this bug is one of the known bugs, but I'm guessing it's not? And I'm also guessing that Security is not a concern for Google at this point, which is a very bad thing, IMHO. People are relying on Gmail because of its awesome features, but if someone can read insecured data directly from memory, it's a really big problem -- perhaps even a global design flaw of the system. No wonder Google plays their cards so close to their chest... I just hope they take some amazing measures to prevent these types of bugs in the future... like when somone does >>> or >>>> etc...
I use Gmail and this bug sort of disturbs me. Aren't they using a proper preg check to see if the fields are enclosed with < > ? I'm not even sure how this bug could exist in any normal computing system. I guess the gmail system is a hybrid of some kind? This is indeed very telling...
But it doesn't make me want to stop using Gmail. It's a random security breech that looks like they could fix it in an hour if they wanted to. Time to stop checking my email for a while until this is fixed...
Google will work out the kinks, they always do.
Electrons are free; it is moving them that becomes expensive.
Oh, sure, it means ready to be shipped/used in production by some companies, but has that line gotten to fuzzy for some people?
"that's not a feature, that's a bug"
A feeling of having made the same mistake before: Deja Foobar
What's the point... I can't get other people's GMAIL account/password info without already having a GMAIL account in the first place... And everyone knows, the goal is to get yourself a GMAIL account if you don't already have one... ;)
---
Programming is like sex... Make one mistake and support it the rest of your life.
and should never be treated as such. If you want security, use strong encryption.
This is as it was 10 years ago, 5 years ago, now, and in the future. Plaintext should be treated as though you were sending a postcard in the mail.
Cretin - a powerful and flexible CD reencoder
Security exploits are a serious matter, and they need to be handled properly. Throwing this kind of thing out in the open willy-nilly is, at best, irresponsible. For one, it means that Google must now rush a fix for something which may have already been in the bugfix queue; rush jobs can disrupt the entire project and increases the odds of human error--which can lead to unnecessary security vulnerabilities.
As for these guys getting hired by Google--being smarmy twits about Google's code review practices probably isn't gonna help their case any. Shame, because a little tact and professional courtesy would have given them a damn good running start at it...
Obliteracy: Words with explosions
It's easier than finding a technical solution, and money spent in the legal system is what feeds our lawyers and judges.
It is difficult to communicate with a person at Google -- Hay, Google, Hire me, I'm interested in working there.
Zhrodague.net - I do projects and stuff too.
n/t means no text.
Yeah, it's a potential privacy breach. That said, using a web-based email system for top secret or potentially embarassing mail is pretty dumb. You get what you pay for, gmail is no different. (nb: I'm a happy gmail user)
Trolling is a art,
Comment removed based on user account deletion
Speaking loudly in a public place can be intercepted!
Although this appears to be a valid bug in GMail (that is still beta mind you, and will probably be fixed very quickly), who in the world considers plain text communication secure?
I have no idea who at my ISP has root access (or others that can gain root access) to read my plaintext mailbox.
Nothing to see here... please move along.
Gmail = email for tech yuppies
I like to take people's Gmail invites, sign up, and then delete the account.
Google = best & brightest, right?
I mean, their aptitude tests & hiring policies makes me believe they've got a few nobel prize winners working there..
Shouldn't they be able to fix this during lunch break?
From the description, the way you can read messages of other people has nothing to do with 'intercepting' messages. Man in the middle attacks are always possible, but this looks like a simple serverside bug (buffer overflow or string formatting problem, most likely) which will probably be fixed on short notice.
;)
I don't think you can do directed attacks either (e.g. 'intercept' only the mail of a specific target). So I think it's not a real showstopper.
Still, it shows that even Google can make mistakes in their code...who would have thought!
Every expression is true, for a given value of 'true'
I can't remember the last time I caught the postman reading my e-mail.
Penis
now Google messes up...
with all the natural disasters happening, i cannot think of a good reason why the world wouldn't end the day after tomorrow.
would love a gmail invite if anyone is feeling so generous. Thanks in advance. jumbotech@yahoo.com
Simple.
All you communications are belong to them.
Obliteracy: Words with explosions
Oh shit!
Couldn't they have notified Google first, before going public? Given them time to take action? I don't like the fact that my email is suddenly vulnerable now that everyone and their brother knows how to intercept gmail messages.
Meinst du "may" und nicht "shall?"
Serious as it may be, this does not allow you to selectively attack a specific person or account - you just have to "hope for the best", so to speak. While I wouldn't underrate it (is that a word?), I wouldn't overrate it, either, and I'm pretty sure that the Google people will plug this in no time. It's been my experience that they do look at reports that are coming in (just like they claim), and that they are generally quite quick to fix even minor issues, so something that is security-related *and* (by the sounds of it) easily fixable shouldn't last long.
:)
That being said, did the authors actually contact Google about this prior to making the whole thing public? Full disclosure is good, of course, but it's also nice to give the vendor a chance to fix things before you inform every script kiddie in the world about what you found.
quidquid latine dictum sit altum videtur.
Because all good addresses will be taken by then!
I made sure I got my tribbin@gmail.com.
If you mod this up, your slashdot background will turn into a beautiful sunset!
I have sent you an Invitation.
Spelling mistakes: My is english spoken not tongue of mother.
grub@gmail.com
... when I found out when write() with negative
value as a byte count actually reads the memory of a previous user...
If you want it confidential, have the sender encrypt and the recipient decrypt it without the intermediary reading the plain text.
If you really think about the term breech in its context of security, then the hind end of the body actually makes sense if you think about a security breach. Most security breaches occur through back doors, so the poster is actually accurate in using the spelling he did... :-)
Does anyone do this with MS, or do they post it on Slashdot so we can all laugh and make fun? It's the same thing weather you like the company or not.
To everyone expressing concern about using gmail in light of this exploit - I hope you know that all email is vulnerable to interception. It is sent as plaintext across the internet, and hops though a dozen servers before ending up at it's final destination. This exploit is just another way to do something that has been possible by design ever since email was created.
If you want your email to be secure you have to encrypt it. Otherwise don't have any expectation for privacy.
I'm ok with that too, as long as there is some indication that it is being looked at, and not just shoved under the rug.
Also, ISTR hearing about this bug a few months ago. If it's all over the net, chances are good it's getting some attention.
E-mail messages succeptable to interception!!
Michael Wally writes "GMail messages are vulnerable to interception..."
You really are a wally if this is news to you. Email is quite fragile and it is by no means private. Use encryption with DJB's Internet Mail 2000.
I have seen more bugs in gmail than most beta software. Even choosing a username was a bizarre experience, in which my session was somehow interleaved with another guy's session and I kept getting result pages intended for him. Then when I got past that, the service was down more often than not.
I know a lot of happy users, so maybe I just had bad luck, but it really seemed alpha quality to me.
Why is everyone brushing this off by saying "well you should have known that email isnt secure, tough luck!"
:)
If Hotmail had this bug, everyone here would be up in arms.
Just because email isnt secure doesnt mean this isn't serious. I would hate to think of all the people reading my responses to craigslist postings
Are you communications private?
I don't even know where to start with this one!!!! Editors? You out there???
He's talking to the communications. Example:
"Are you guys ready?"
"Are you folks hungry?"
GMail messages are vulnerable to interception.
Can anyone name a form of message that isn't vulnerable to interception?
You can add an 's' to the gmail URLs and it will come back with HTTPS. Dunno if this is any worksround for the bug mentioned, once the bits are inside the app server anything can happen, but it keeps me from reading my mail in plain text.
For more fun, check out how ebay's static and images server returs responses null-padded to 4KB boundaries (usually).
You did notify Google and give them a reasonable period to time in which to respond, right? Because you've just shouted, in the loudest possible way, how to access all that data you're so worried about protecting.
Canthros
Chances are, since most email these days are spam, an attacker is going to have to go through a lot of spam before finding something interesting.
-bk
sending my own malformed message, but I didn't see any extra info in the headers....
It appears to alreday be fixed... try it and it errors out on the from line with a syntax error.
People who do what you suggest according to "standard practices" could be charged with blackmail. It is far safer legally to anonymously release the information rather than contact the company.
I tried to exploit it, but it appears to be fixed...
The Reality
Don't be fooled! Geeks are NOT sexy!!! You have been warned. Find yourself a DJ instead. Ravers and Transers are far sexier.
I already read about this in a newsletter that I received in the "Reply To" field of an email.
--
Was it the sheep climbing onto the altar, or the cattle lowing to be slain,
or the Son of God hanging dead and bloodied on a cross that told me this was a world condemned, but loved and bought with blood.
They couldn't have notified the company because doing so would leave them open to blackmail charges. At least this way the worst that could happen would be Copyright/DMCA charges, which are much less serious. While I would love to see people notify companies of vulnerabilities and only go public when the company doesn't fix them, in today's legal environment that can lead to blackmail charges. I doubt you would be willing to provide full indemnity (you pay their legal bills and any fines or judgements agains them) if they were willing to notify the company first.
Many other people have pointed out that GMail is still in beta, and that if they would have told Google first it probably would have gotten quietly fixed without any damage being done.
Of course, they acknowledge that, but they're arguing that they're helping protect people by making them aware of the problem.
I call bullshit. This is about them wanting recognition for finding the bug. If they would have sent it to Google, it would have been fixed and no one would care who discovered it. Because they went public with it they can boast that they were the ones who found the bug.
Of course, it swings both ways. Now if someone uses this exploit and steals your password (which is honestly rather unlikely), you know who to blame for making it public knowledge before Google had the chance to fix it.
To which I would answer, "No, I am a communications major."
Q:How many libertarians does it take to stop a Panzer division? A:None. Obviously market forces will take care of it.
Guess what? The Emperor is Naked
This must be the most trivial, ridicuolus and dangeorus bug I have ever seen in an email system
Now everybody and their little sister will start creating these emails, it is trivial to do on a large scale, everybody is screwed, your only hope is that it will happen to someone else
stupid, stupid Google!
Need it be said: You get what you pay for.
Read any good sonnets lately?
Beta Beta Beta, and again Beta.
Why do you think this word is used?
E-mail is for every person out there and it will not be secure unless people take it into their own hands.
Look, I use Gmail. It's great. I send pics to my family, a random file to myself so I can get it at work, and general announcments and hellos to my friends.
I even use MSN, ICQ, and AIM. But do you really think that I think it's secure!? Of course not. Plain text!! My friends warn me about Port sniffing and all sorts of things out there. Well you know what, if someone wants to know when my nephew is being born, or when my wife is getting off work and meeting me for dinner then fine. Go for it. The risk factor of such information is so low that is really doesn't bother me.
NOW, if you are worried about security, for bujesus sakes, send yourself a password/Encrypted Zip file, or when I really want to talk to friends about serious things we hook up SIMP for MSN or the other chat Clients. 1024 bit CHAT Encription. E-mail, Chat and file encription have been around for quite a while now. Don't assume people. You know what happens when you assume.
Now if someone uses this exploit and steals your password (which is honestly rather unlikely), you know who to blame Who? The one who made the mistake or the one that found it? Heh.
..this effects the other person's email in any way? The only way to know would be for them to email the people whose email addresses they've cencored, and ask them to check those particular emails. I wonder if they may have gotten corrupted too due to this, before the buffers were flushed?
Jesus - am I the only one to recognize this bug?
This is just the most publicly seen instance but broken XML does this every single day.
Use the greater than and less than signs as data delimiters in the 'next generation' of data encoding (XML)? WTF were they thinking?
I'm not 100% they are using true XML but from the looks of it if they aren't they are using a home-built XML wanna-be and - well it looks like I was right a few years ago when I (unsuccessfully) campaigned against doing it that way. Not that I campaigned very loud, as I am basically a nobody.
Glonoinha the MebiByte Slayer
Does anyone do this with MS, or do they post it on Slashdot so we can all laugh and make fun? It's the same thing weather you like the company or not.
No, notifying the company first is standard practice for, well, anybody with ethics. Microsoft aren't persecuted, it's just that Google just got shafted by people without any ethics. This is unusual no matter who is involved.
Amazingly, I just tried to duplicate the bug (for testing purposes only), and couldn't duplicate it. Anyone else had any luck?
Instead of posting requests for Gmail accounts here (where they are offtopic). Use http://www.gmailswap.com/ [Gmail Swap] where they are very happy to give you an invite. Ignore any messages that want something in return, you can easily get an account for free.
Kind of off topic, but might as well give them away here.f bce-41a4dc0b1b 5 c12-936bc39037 6 450-b2a929bc15 d b1e-7df6129e51 1 f25-4a3c395b3c
http://gmail.google.com/gmail/a-2f47c4c506-34d0ab
http://gmail.google.com/gmail/a-2f47c4c506-709457
http://gmail.google.com/gmail/a-2f47c4c506-7193e2
http://gmail.google.com/gmail/a-2f47c4c506-a3a547
http://gmail.google.com/gmail/a-2f47c4c506-af561c
You should first and foremost submit it to the party responsible
Google just another company trying to make a buck, and they'll do anything it takes, such as getting in bed with the Chinese or helping Ken Lay.
Keeping these things hush hush so that Google doesn't get "hurt" only helps them continue these practices.
The strangest thing happened to me when using gmail a few weeks ago. First I tried to send an .exe file, and of course gmail told me, "you're not allowed to send .exe files". So I changed the file extension and still got the same response somehow. Ok, then it gets weird: .exe file somehow!
I figured I could hide it in a zip file so gmail wouldn't notice, and it still tells me I can't send an exe file!, then I encrypt the zip file, figuring there would be no way gmail could see what's inside, and it still finds the
It really felt invasive to me to think that google is looking inside my encrypted zip files. I sent them a letter but never heard anything back.
Does anyone have any insight into this? If you don't believe me, try it for yourself.
Wasn't the people at google wearing "I read your Email" T-Shirts at the Blackhat Conference?
Yeah it's beta! So fucking what?? A lot of people use Gmail, a LOT... for REAL emails. A security hole in Gmail affects real people with real concerns, and it should be announced and fixed asap, no matter if it's Alpha, Beta, Gamma, or Delta.
Gee, I hope Gmail wasn't the secret service's plan B option for email use.7 50227&tid=172&tid=215&tid=158
http://yro.slashdot.org/article.pl?sid=05/01/12/0
"Beer is proof that God loves us and wants us to be happy - Benjamin Franklin"
Please send an gmail invite. the last one got intercepted...
For these people to find a single issue in such a system, then say it's a shortcoming of gmail's QA process, and in the same breath ask for work - implying they've got the skills to even handle such a job - is insulting. Please, just because you're smart enough to expose a flaw once you stumbled onto it in no way means you are qualified to correct that or any other issue. Sometimes our QA team finds a flaw and even digs in the logs enough to pinpoint the problem but it can still take the developer who designed the code days to correct.
In other words, noticing that you're bleeding does not qualify you as a surgeon. Instead of publishing their finidings in a detailed how-to, these asshats should have forwarded the info to gmail and let them deal with it, and that's assuming that the gmail team didn't already have it in their list of bugs. I just don't understand why people feel the need to not only describe a security problem, but give every hacker on the net a roadmap as to just exactly how to use it and what illicit activity it might be good for.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
From what I read on the site you could protect your message from interception by placing a '>' character at the start of yout subject line or message body. If you are concerned about privacy use a > until they fix the bug.
Snowden and Manning are heroes.
At the bottom of TFA:
Screen Capture #5
Jack Rabbit Vibrator Features
This message describes the features of one "Jack Rabbit Vibrator," a 7.5" Multi-Speed toy of sorts.
What are the odds of finding that?
Gotta get me one of these!
I have two gmail accounts (I'm evil). I tried to open both simultaneously in separate Firefox tabs. A short time after opening the second tab / account, I switched back to the first, to find the inbox listing the messages from the second account. Refreshing the page brought the entire page display to reflect the second account.
I've also witnessed on at least one occasion an https session surviving overnight, with the POTS connection severed during this time.
These experiences have already led me to consider gmail less than secure.
The Google people are very, positively imaginative and creative. But they are not, at least not at first pass, all seeing. There are details to security that require some grinding detail and a lot of testing. A good language and a smart approach can lessen the grunt work, but a significant amount is still necessary.
I think people haven't come down on Google like they do on MS because, in large part, Google is straight forward and direct in its communications and its intentions. And when a bug pops its head, they consider it a personal priority to correct it. Not just a business priority, based upon cost/benefit, but also the PERSONAL priority of those at Google who are involved in the issue.
I hope they'll fix this quickly, and take a good, hard look at their server and session management. Looks like there's a serious need for better compartmentalization, and for data scope management.
Doesen't seem too bad to me. But I am just a foreinger...
[]'s Victor Bogado da Silva Lins
^[:wq
ive got some i want to get rid of too.
Scroogle is back in the news...
u rc e_google_scraper/
http://www.theregister.co.uk/2005/01/11/open_so
#!/usr/bin/perl -w
l .com');t ;
use Net::SMTP;
use strict;
my $i = 0;
while(1) {
$i++;
my $smtp = Net::SMTP->new('gsmtp185.google.com', Debug => 1, ) or die "Cannot mail: $!\n";
$smtp->mail();
$smtp->to('yourgmail@gmai
$smtp->data();
$smtp->datasend("From: <test\@test.com");
$smtp->dataend();
$smtp->qui
print "Sent $i\n";
}
for 6usd a month one can find a reputable compnay to provide him wtih more than one mega of mail. thats like unlimited quota constrained by your wallet.
and to top it off, u get a bonus, space to put your own weblog too!
_ In Egypt Networks: Network Solutions with a Twist
I find it interesting that someone worried about other people reading their email, would be using gmail.
The reason this is called "standard practice" is because it is, in fact, standard practice. This is how the vast majority of security holes get dealt with. Nobody's getting charged with blackmail for it, either.
NOTHING is secure. Everything on the net lasts forever. It can easily be intercepted, archived and screwed with in a hundred different places, and since it's around so long, eventually someone is going to figure out the encryption.
So if you are worried about your companies cooked books, your mistress and your assanitation plan being discovered--DON'T write Email about them!
Also, by the way, if it's that important: Don't post it in a chat room or BBS, even "Anonymously", don't write or type it anywhere, don't get drunk and brag about it to your co-workers and prey that you don't talk in your sleep.
There's the ads, remember?
:)
The real losers here are the advertisers if Google doesn't fix this thing.
Still, gmail is in BETA, has an INVITATION-based signing up scheme. And no software is bug-free.
Anyway, thankfully I don't keep private info on my spydermann.slashdot g-mail account
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
I'm reading, the article, and I had a hard time figuring out what the hell, it said. Because. The horrible grammar, it was just a bunch of random thoughts and run on sentences, joined together with commas, and occasionally separated by periods.,..,
with all the natural disasters happening, i cannot think of a good reason why the world wouldn't end the day after tomorrow.
Because M$ will release a bug-free, easy to use operating system with reasonable licensing three days from now.
I stole this sig from someone cleverer than me.
I have already sent out all of my original invites to friends, and was recently given 10 more. If anyone wants them let me know.
"Insert Sig Here"
Is this the second or third security hole in gmail? All this in a fucking email service!! Google is turning out to be as bad as (or worse than) MS.
This exploit would be hardly interesting to a cracker. Suer it is a nasty bug, but it's too unpredictable to be useful. I mean, you can read -someone's- email, but not email of someone you're stalking or something like that. You may find a random piece of information, but there's no way you know what you find. With enough luck you can take over an account... of a stranger. The info could be sometimes used for malicious purposes, but it will in no way be profitable.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
OK so here's the vulnerability...
You send a malformed message, and you get some data remaining in the memory block. You can't control what account that data is from, it might or might not be something interesting to read and it might or might not contain sensitive data, etc. If you get lucky, someone using a single password at every site or a simply recognized pattern happens to have the one message that isn't spam in their buffer copied into your message so you can view it, you see their password, guess at the pattern and then have access to all of their data.
In the more likely case, you view their advertisement for v1agra.
If your code is acting bloated, and is running rather slow, it's likely and predicted that some loops you will unroll.
I just read: "...you can't even sign up unless you know somebody else who has it"
however-to be fair, I've seen other postings like the parent on other discussion lists.
Just "Here's some GMail invites" and a list of URLs.
I like microcars
So you prefer SBO?
Of course, it swings both ways. Now if someone uses this exploit and steals your password (which is honestly rather unlikely), you know who to blame for making it public knowledge before Google had the chance to fix it.
Blame, or sue?
I generally follow good security practices so I wouldn't be sending any sensetive info through email anyways. I've always said that if you have something you wouldn't want the whole world to know, don't say it through email.
But the thought of someone getting my Gmail password isn't appealing either. But because I use different passwords for everything, the damage would be limited.
They crawl your f'ing mail and sell the information to people.
They tell you this right up front.
There is no security.
STFU.
...spurious - I do not think it means what you think it means...
At least they won't be able to use any "sensitive information" against you. Confidentiality Notice The information transmitted in this e-mail is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this e-mail in error, please contact the sender and delete the e-mail and any attached material immediately. Thank you.
Think of how many people at Google probably read slashdot. To think that now that it's on slashdot everybody knows except Google is kind of silly. Also, at least one person on here reported that it seems they fixed the bug already, which doesn't surprise me.
Dear Penis,
That's the point. You never caught the postman reading anything. Nor did you catch the mail sorter reading anything, nor did you catch the postman that picked up the postcard from the sender reading it.
These people haven't caught anyone reading someone elses email either. They point out the reading can be done, not that it was caught.
Hand
GMail is a beta as some of the other people mentioned and beta product even though they are not supposed to be buggy are still in testing stages and are not ready for production release. So is it surprising that there was another bug found in the system? Not at all. After all that's how all software gets developed. You test it to exhaustion and if it passes all the tests it's good to go. If not you fix the problems. And if you are using GMail you should know that you have already agreed to the possiblitly of having an unreliable service. After all this is why Google is gradually expanding the number of users.
That aside. I use GMail and Spymac since they were the first 2 free services to offer 1GB storage and google whips Spymacs butt in every aspect. So does that bug bother me? Not really. I use pop3/smtp access all the time and plus this bug will be fixed very soon just like all the other problems found so far.
Or try this invite spooler here
When you use beta apps on your computer, do you expect them to be bug free? Why would an internet application differ from, say, a pre-release version of Longhorn?
If you are doing mission-critical email (as if email's even suitable for anything m-c) or are overly converned about privacy, here's an idea: try using established technology, and maybe even GPG. Don't use something that says "beta" for those sensitive transactions....
I'm glad this article was posted, I'm just confused by some of the reponses to it.
signed,
Captain Ob(li)vious
(%i1) factor(777353);
(%o1) 777353
Parent is not flamebait, it is a real insult.
It could be called informative, because I honestly believe the guy is a dumbass. At least, not flamebait.
Insulting the guy is just what I felt like doing, because I thought it was a stupid question to ask, not a call for flames.
In the FAQ it doesn't say that "profanity" or insults are discouraged.
My post was even on-topic because it answered a question regarding the way the site works (why no no-text messages)
just a thought
They may actually have tried to contact Google and failed.
Have you tried to send a GMail bug report to Google? It's really difficult! I tried it and whatever software they have to automatically scan bug reports kept misclassifying what I was saying. I gave up in the end; for a product in beta, they don't seem very keen to get feedback.
I donno if this matters but after reading this I was messing with the subject line, if you paste alot of chars in it they start disappering after awhile but if you highlight them they show up. donno whats up with that.
well after trying this out for myself, it appears google isn't delivering any mail (at least to my inbox) at the moment. after sending about 20 emails, half valid, half tesing the missing '>'. After 20 minutes, none of the 20 have reached my inbox.
lots of comments here are noting the hubris of these guys in asking for jobs.
I'd just like to add that not only are they criticizing the company's QA process and releasing the bug without having notified google first, as others pointed out...
They found the exploit by MISTAKE! It was a bug in their own code that caused the problem, something as stupid as a missing caret at the end of a line. So, in other words, they are looking for work looking for bugs in Google's software that they found solely because of a bug in the software they wrote.
On another note, bugs in software happen, no matter WHO you are, the trick is just to be able to fix them in a timely fashion and deal with the situation effectively. I believe that Google will do this, especially if the previous comment stating that it has been patched is true. Everyone is making too big a deal out of something that has happened to every developer on every software ever. The reason MS gets crap for it is simply because they continuously produce buggy code ridden with security issues, but deny this is the case, and often ignore security problems until they are found out by the general public.
-Jay
I haven't been able to receive any gmails for a half hour or so... maybe they've disabled incoming messages until they've sorted this all out?
The sense of security coming from using a non-publicly-available product that is still in beta? Where the banner "Gmail by Google - Beta" is displayed at the top left of every page loaded? Where the 'Security' section of the user agreement is:
Security
You must promptly notify Google of any breach of security related to the Services, including but not limited to unauthorized use of your password or account. To help ensure the security of your password or account, please sign out from your account at the end of each session.
Oh yes, Google is certainly lulling us into a false sense of security.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
I hope google fixes this poor buffer hygiene soon
But since we now have a published exploit, I will be damn careful what I send for a while except for the messages my script sends to me;-)
Since [as GBS pointed out] "GH" can be pronounced "F" and in "enough" I chriten this technique for dredging buffer junk for other people's goodies as
GHISHING
Which you would pronounce the same as PHISHING. And the GH might stand for Google Hack
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
I may be waay off because of my relative inexperience with coding, but it seems as if Gmail isn't accepting email from sendmail binaries for now. Concerned about this security risk I wrote a quick script to test it out myself.
[php?
mail('somename@gmail.com','test','this is a test','From: [somename@gmail.com');
?]
("somename" is a stand in for my real gmail account name and I used brackets instead of angled brackets for this post only)
This didn't work but when I switched out the recipient mail to my hotmail account, it went through fine. After some more testing, it seemed that gmail wouldn't accept mail from any code I tried, while hotmail was accepting just fine. A few weeks ago I had written a mail() script in php that sent to my gmail account and it worked fine. This leads me to believe that gmail has seen the problem and temporarily suspended the ability to receive email from sendmail binaries, thus negating the problem (if not sacrificing functionality) Anyone else come across this?
No no, you don't get it! He's simply introducing himself to the community at large. It's a play on words, really. Because, you see, his name is actually "New Here," so when someone utters (types) the phrase "New Here" his attention is drawn. When someone mentions my name incorrectly, I like to correct them as well! Of course, if people kept telling other people that their name is in fact your name, wouldn't you want to correct them? Honestly...
John Doe (to UserX): You must be Bob Dole.
Bob Dole: No, I'm Bob Dole.
You: Fuck off.
See how your response is completely inappropriate? Granted, that wasn't the *exact* syntax for this exchange, but there's no need to nitpick.
BTW, New Here - you're my hero.
"The object of war is not to die for your country, but to make the other bastard die for his." - Patton
I've been bugging google about gpg support built into gmail. Never get any response though.
The road between democracy and tyranny is paved with secrecy in the name of security.
Rather then a post card, I would say it is more like sending a letter in an unsealed envelope.
You can see the content of a post card just at a glance. You can glance at things by accident. You can read an unsealed letter, but first you have to take it out of the envelope. You cannot do that by accident.
You cannot accidently catch a glimpse of an e-mail, you have to intentionally look at it.
END COMMUNICATION
Far more disconcerting is the label American online in the screencaps.
500GB of disk, 5TB of transfer, $5.95/mo
microsoft tends to ignore REPEATED warnings and finally the ethical people will just release it.
two months of warning is fair i think.
i always support alerting hte company first and giving them some time to solve the problem, but if the company doesnt even RESPOND in any way, screw them, they deserve it then.
btw only some people are the way you said, slashdot is not a single entity, but a collection of individuals.
if i found i security hole in MS software today, i dont know if iwould bother to report it to them, since i know their history of working with others about those issues (rather not doing anything about it). it becomes a "why waste the effort to send the email/call etc when they wont respond"
WTF - it's horrific when MS fails to disclose a *security* flaw, but Google gets a free pass?
1GB - how cheaply you're bought...
gmail invites - first come, first serve
get one for yourself @ http://fundisom.com/free-gmail.php...
and if you don't get one now - i'll add many more over time.
and if you manage to get one and feel like saying thanks - have a look at the ads on the page...
enjoy...
Burn the AC, he's using logic!
->
http://fundisom.com/free-gmail.php
http://fundisom.com/free-gmail.php
SMTP isn't secure anyway. SO what's the big risk that someone can get my message off of gmail from left over memory image. They could have just as easily sniffed the SMTP packets going from gmail to whatever server they're going to.
Bottom line don't use e-mail for sensitive information unless you use proper encryption before hand. -- fopd sodis risdick tra
I'm assuming this is until the problem is fixed:
"APPLICATION" 516 "2005-01-12 20:01:48" "SMTPDeliverer - Message 15213: Delivering message from xxxxxxxxx@xxxxx.com to xxxxx@gmail.com."
"TCPIP" 516 "2005-01-12 20:01:48" "DNSResolver - MX Lookup: gmail.com"
"TCPIP" 516 "2005-01-12 20:01:48" "DNSResolver - MX Lookup result for gmail.com: 3 servers"
"APPLICATION" 516 "2005-01-12 20:02:09" "SMTPDeliverer - Message 15213: Failed to connect to gsmtp185.google.com."
"APPLICATION" 516 "2005-01-12 20:02:30" "SMTPDeliverer - Message 15213: Failed to connect to gsmtp171.google.com."
"APPLICATION" 516 "2005-01-12 20:02:51" "SMTPDeliverer - Message 15213: Failed to connect to gsmtp57.google.com."
"APPLICATION" 516 "2005-01-12 20:03:13" "SMTPDeliverer - Message 15213: Failed to connect to gmail.com."
"APPLICATION" 516 "2005-01-12 20:03:13" "SMTPDeliverer - Message 15213: Failed to connect to all xxxxx@gmail.com's mail servers."
Find Nearby Indie Events
just start all outgoing emails with the ">" character. according the the article to which the above notice links, this should be all that is needed to prevent your information to be among that which is picked up. or am i mistaken?
--eric.
Why is google news still in beta?
You know you've been IMing too long when you almost say 'lol' out loud to a non-geeky friend...
Whoever modded parent as offtopic has no sense of humor.
Ever since I read this story on slashdot, I've not been able to recieve emails in my 3 gmail accounts (the emails are from two different mail providers). So, have they now started refusing incoming messages (until the bug is fixed) ?
XML never does this. XML parsers, upon finding a problem must stop parsing and throw a fatal error. It's in the specification.
Instead of mindlessly knee-jerking because you don't like XML, try reading the article. The greater-than symbol that causes problems is the delimiter for the email address - syntax that goes back to 1982's RFC 822 - long before XML's time.
Seems like the Gmail folks have taken their SMTP server down.
Thanks folks for forcing Google to upgrade in a hurry. Now I can't read my e-mail!
Arghhhh
Most Humorously Appropriate Usage of the Word "Festoon" In A Slashdot Post.
Potato chips are a by-yourself food.
For some reason, when you click on a link someone sends you in gmail, it opens in a new window, all well and good, but it rearranges IE's toolbars. I carefully put the standard set of buttons, the "File" menu, and the Address bar on one line (to minimize use of vertical real estate) and the new window has them all on seperate lines...which is irksome if that's the last window that gets closed in IE, because that means it sets the pattern for next time you start up IE.
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
I'm communications corporal, sir!
I wish he was... Check out the guy's previous comments, he introduced himself quite enough already. It's getting old. I agree the AC's reply is much more disturbing though.
I'm trying to improve my English. Please correct me on any spelling/grammar errors in this post.
I'm sorry - I forgot the sarcasm tags in that last post.
"The object of war is not to die for your country, but to make the other bastard die for his." - Patton
There was a web site called gmail-is-to-creepy.com that had alot of info about gmail ... I stoped using it a week after I saw that site
If I'm reading this correctly, there are two guys who found a flaw in Gmail's code. They end this announcement with a message to Google suggesting they would be good coders and they are for hire. But didn't they find the bug with a bug of their own? Didn't they ruin their chance of proving they are "good enough" by announcing how they found out about the bug?
Strong words for a man with four exlamation marks in a row, a three question marks.
Stupid like a fox!
Haha, mod that up. Very nice puns.
Random is the New Order.
There is a major motion picture by that name, and the Earth is afraid of the lawsuit.
emt 377 emt 4
All you nerds who are complaining don't realise its a freakin beta you're in. If you put private stuff in a beta email system you deserve to get screwed over. Stuff it and eat a dik all of you
Throw it to bugtraq if you want exposure and to get it noticed. Not Slashdot.
http://www.experts-exchange.com/M_1296800.html
MrYowler? Cyberarmy? Oh boy, its attack of the script kiddie wanna be's.
bluetigerbc[atsymbol]gmail.com (myself) has about 4-5.
i'll give them to whoever needs em. (if 6 people ask, the last one wont get it as order of who asked first in my email box)
bluetigerbc
It's a data parsing error (missing that closing < makes it read stuff from other mailboxes and print that back inappropriately)
Why it can even read past the end of your message is a mystery to me. They might be using very specialized memory managers in their codebase that use buffers in specific ways, however, which would make this possible.
I wouldn't call that a buffer overrun. It's a parsing error which exposes read access to some kind of application-managed memory in an unexpected way.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
In picture number 2, they didn't do a very good job hiding the info. If you do a google search for <inurl:akienm>, you get just a few results. Just by looking at the snippet from the first result (without actually traveling there), you can see his domain is weirdness.org. From this you look back at the message and deduce that the login URL is http://weirdness.org/akienm/checkpointjob. The username starts with ak, so it is probably akienm. The password starts with bi. This dramatically reduces the amount of work needed to brute force his password. Hopefully akienm will change his password soon.
Andrew
I'm very impressed that Google (or more to the point Chris Dibona) responded and the bug was fixed so quickly. Can we expect more of this from Google in the future? I sure do hope so.
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
That was my fault. As I have indicated in several other replies, I was the 'editor' in our little research team (I used to teach English to ESL students, some 20 years ago), but I honestly did not think that this would ever see a reader.
Sorry for the minor boo-boo. I'll try to be more grammatically correct, in the future... ;-P
Yep. We did.
In fact, the 'report a bug' link did not appear, in my GMail account. I had to use one of NSA Wally's other accounts, just to find out what the link was.
CyberArmy? Who said that?!
Yes, I'm that same MrYowler... :) Of course, that says nothing about my many professional information technology and information security credentials, but if you've already made up your mind that I'm an idiot, then there isn't much point in me trying to change your opinion. Remember, though, that your opinion says a great deal more about you than it does about me... ;-)
http://shit.slashdot.org/article.pl?sid=05/01/12/1 655246
Oh yes. Sue.
NSA Wally makes slightly more than $300 per month working for his uncle, and I make about $450 per month putting cans of beets on grocery store shelves.
Take it all! Start with our crushing personal debts, and then you can have this flu that I have neither been able to shake, nor do I have medical coverage to get help with.
Yes, sue. Take us for all we're worth. That should amount to slightly less than nothing... ;-P
Hello, Thank you for your message. Today, Google was alerted to a security vulnerability affecting Gmail, and our engineers quickly resolved the issue. A very small number of Gmail users were affected, and all Gmail accounts are now protected from this vulnerability. Google has the highest regard for the security of our users' information and we apologize for any concern this issue may have caused. Thank you for taking the time to contact us. Sincerely, The Gmail Team
Yes, sue. Take us for all we're worth. That should amount to slightly less than nothing... ;-P
A word of caution:
Don't taunt the animals. If you have ever been involved in or observed divorce proceedings, you should already be aware that the legal process is frequently used by its participants as a means of punishment, rather than a source of revenue. The fact that you don't currently have money doesn't protect you from being the victim of some well-funded person or lawyer with a desire for retribution.
I submitted this bug (as thousands of slashdot users probably did) and here is the response I got from Google.
Hello,
Thank you for your message. Today, Google was alerted to a security
vulnerability affecting Gmail, and our engineers quickly resolved the
issue. A very small number of Gmail users were affected, and all Gmail
accounts are now protected from this vulnerability.
Google has the highest regard for the security of our users' information
and we apologize for any concern this issue may have caused. Thank you for
taking the time to contact us.
Sincerely,
The Gmail Team
:) Eh. I know how to file bankruptcy. Frankly, at this stage of the game, the only thing keeping me from doing so, is that I have no assets to protect.
The point is well-made, however, and I'd be likely to take it more seriously if I were not already an excellent candidate to go insane with a high-powered rifle in a bell tower, somewhere... ;-P
That, however, is part of the point of psuedonymity - it makes the rich fellow's job at least slightly more difficult, and the lack of reward, at the end, makes the effort essentially pointless. Better to pursue me for criminal action, as so frequently is the case when a vulnerability is publicly reported. Even that, though, just gets me three hots and a cot, and all the luvin' I can't handle... :-P
Never forget; death ends the pain. And the man who believes that he has nothing left to lose, is the most dangerous of all.
Hopefully, it doesn't come to that, and the tiny bit of rope that still has me connected to my sanity, will hold.
I have a Gmail invite if anybody wants one.
Google is going down the wrong route. This is like fixing a remote exploit by filtering traffic for the IP of the guy that rooted you. If your program is insecure, fix it, don't firewall suspicious messages. It's only a matter of time before a similar exploit is written unless gmail is engineered so that malformed messages don't get cached data.
just to kill my wrong mod
That they fix those awfull new groups...
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating