Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Messages Are Vulnerable To Interception

Posted by timothy on from the top-men-are-working-on-it-top-men dept.

Michael Wally writes "GMail messages are vulnerable to interception. An attacker has only to transmit malformed test messages to himself, and information left over in memory, from previous messages destined for other people, will appear with the test messages, in the attacker's inbox. Sometimes, this information may include usernames and passwords... Do you use GMail? Are your communications private? Should they be? Well, here's what we figured out about the issue, that may or may not help you - or perhaps GMail, if anyone can get ahold of their developers, to tell them about it." Update: 01/12 22:21 GMT by T : Good news for Gmail users; those malformed messages are no longer being accepted; read below for a message from Chris DiBona.

chrisd writes "Just so you know, at 10:15am PST mails with the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous emails that had this problem will also no longer will be accessible. If you don't mind, I'd like to take the time to remind Slashdot readers that they can send bugs that may have a security aspect into security@google.com. If they like, they should feel free to cc me at cdibona@google.com. We appreciate your patience and we're sorry about the bug."

13 of 460 comments (clear)

  1. Security Category in Gmail Bugs List? by dolo666 · · Score: 5, Informative

    Is it just me or do you find it strange that in the list of known Gmail bugs, there is no catagory for Security? I'm trying to find out if this bug is one of the known bugs, but I'm guessing it's not? And I'm also guessing that Security is not a concern for Google at this point, which is a very bad thing, IMHO. People are relying on Gmail because of its awesome features, but if someone can read insecured data directly from memory, it's a really big problem -- perhaps even a global design flaw of the system. No wonder Google plays their cards so close to their chest... I just hope they take some amazing measures to prevent these types of bugs in the future... like when somone does >>> or >>>> etc...

    I use Gmail and this bug sort of disturbs me. Aren't they using a proper preg check to see if the fields are enclosed with < > ? I'm not even sure how this bug could exist in any normal computing system. I guess the gmail system is a hybrid of some kind? This is indeed very telling...

    But it doesn't make me want to stop using Gmail. It's a random security breech that looks like they could fix it in an hour if they wanted to. Time to stop checking my email for a while until this is fixed...

    1. Re:Security Category in Gmail Bugs List? by Anonymous Coward · · Score: 2, Informative

      "security by obscurity" genrally refers to a system who'security requires obscurity by design. There's nothing wrong with deciding to not publicize known security holes while you try to fix them.

    2. Re:Security Category in Gmail Bugs List? by Q2Serpent · · Score: 3, Informative

      People will not successfully exploit a vulnerability they do not know about

      You did read the article, yes? This is exactly what happened.

    3. Re:Security Category in Gmail Bugs List? by mattgreen · · Score: 2, Informative
      There's nothing wrong with deciding to not publicize known security holes while you try to fix them.

      Unless you're Microsoft, of course.
  2. Email isn't secure by krog · · Score: 5, Informative

    and should never be treated as such. If you want security, use strong encryption.

    This is as it was 10 years ago, 5 years ago, now, and in the future. Plaintext should be treated as though you were sending a postcard in the mail.

    --
    Cretin - a powerful and flexible CD reencoder
  3. Re:Newsflash by Country_hacker · · Score: 5, Informative

    Looks to me like they already fixed it, I tried sending an email without putting the end bracket on the address (Just like the guys in TFA) and it popped an error message. Those guys at Google are on the ball today. :-)

    --
    Never give any object more potential energy than you want it to have.
  4. Re:All email is vulnerable. by Carthag · · Score: 4, Informative

    This exploit uses a flaw in Google's code that allows viewing of memory on Google's servers. Hardly an inherent flaw in email as such.

  5. Re:All email is vulnerable. by CharlieHedlin · · Score: 2, Informative

    This is getting better, many mail servers will use TLS (same protocol as SSL for the most part) for the communication between servers, and dozens of mail servers is a bit more than reality. Some ISPs may have 2-4 servers it will pass through internally, and then the next ISP may have 2-4.

    I have administered SMTP servers for small businesses and small to midsize ISPs for 10 years.

  6. Re:A Darker Shade of Grey Hat by argel · · Score: 2, Informative
    What's this - the 10 commandments? You seem rather opinionated. Clearly the guys concerned don't agree with you. [...] They've spotted a bug in beta code and decided it was easier to tell the public rather than Google. Good luck to them.

    Because it has become standard practice in the industry to inform the vendor and give them a reasonable amount of time to come out with a patch before publically annoucing the exploit. It's called professionalism a.k.a. an endangered species here at slashdot.

    --

    -- Argel
  7. Re:Gmail Inivation Emails here by skeptic68 · · Score: 2, Informative

    Instead of posting requests for Gmail accounts here (where they are offtopic). Use http://www.gmailswap.com/ [Gmail Swap] where they are very happy to give you an invite. Ignore any messages that want something in return, you can easily get an account for free.

  8. Re:Broken XML by Anonymous Coward · · Score: 2, Informative

    > Use the greater than and less than signs as data delimiters in the 'next generation' of data encoding (XML)? WTF were they thinking?

    Hardly the "next generation". SGML has been around since 1976.

  9. Re:A Darker Shade of Grey Hat by pthisis · · Score: 3, Informative
    Because it has become standard practice in the industry to inform the vendor and give them a reasonable amount of time to come out with a patch before publically annoucing the exploit.

    Key here is "reasonable amount of time", which should be no more than a couple of weeks. Even that may be too long and many vendors will threaten you with lawsuits for going public once you've privately informed them of security holes.

    As Bruce Schneier (author of Applied Cryptography, creator of Blowfish/Twofish, etc) writes:

    What we've learned during the past eight or so years is that full disclosure helps much more than it hurts. Since full disclosure has become the norm, the computer industry has transformed itself from a group of companies that ignores security and belittles vulnerabilities into one that fixes vulnerabilities as quickly as possible.


    Note that Schneier does say:

    I believe in giving the vendor advance notice. CERT took this to an extreme, sometimes giving the vendor years to fix the problem. I'd like to see the researcher tell the vendor that he will publish the vulnerability in a few weeks, and then stick to that promise.


    Also from the same article:
    http://www.schneier.com/crypto-gram-0111.html

    During the early years of computers and networks, bug secrecy was the norm. When users and researchers found vulnerabilities in a software product, they would quietly alert the vendor. In theory, the vendor would then fix the vulnerability...There were incidents of vendors threatening researchers if they made their findings public, and smear campaigns against researchers who announced the existence of vulnerabilities (even if they omitted details). And so many vulnerabilities remained unfixed for years.

    The full disclosure movement was born out of frustration with this process. Once a vulnerability is published, public pressures give vendors a strong incentive to fix the problem quickly. For the most part, this has worked. Today, many researchers publish vulnerabilities they discover on mailing lists such as Bugtraq. The press writes about the vulnerabilities in the computer magazines. The vendors scramble to patch these vulnerabilities as soon as they are publicized, so they can write their own press releases about how quickly and thoroughly they fixed things. The full disclosure movement is improving Internet security.
    --
    rage, rage against the dying of the light
  10. The sense of security coming from using a beta? by Behrooz · · Score: 3, Informative

    The sense of security coming from using a non-publicly-available product that is still in beta? Where the banner "Gmail by Google - Beta" is displayed at the top left of every page loaded? Where the 'Security' section of the user agreement is:

    Security

    You must promptly notify Google of any breach of security related to the Services, including but not limited to unauthorized use of your password or account. To help ensure the security of your password or account, please sign out from your account at the end of each session.

    Oh yes, Google is certainly lulling us into a false sense of security.

    --
    "We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin