Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Messages Are Vulnerable To Interception

Posted by timothy on from the top-men-are-working-on-it-top-men dept.

Michael Wally writes "GMail messages are vulnerable to interception. An attacker has only to transmit malformed test messages to himself, and information left over in memory, from previous messages destined for other people, will appear with the test messages, in the attacker's inbox. Sometimes, this information may include usernames and passwords... Do you use GMail? Are your communications private? Should they be? Well, here's what we figured out about the issue, that may or may not help you - or perhaps GMail, if anyone can get ahold of their developers, to tell them about it." Update: 01/12 22:21 GMT by T : Good news for Gmail users; those malformed messages are no longer being accepted; read below for a message from Chris DiBona.

chrisd writes "Just so you know, at 10:15am PST mails with the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous emails that had this problem will also no longer will be accessible. If you don't mind, I'd like to take the time to remind Slashdot readers that they can send bugs that may have a security aspect into security@google.com. If they like, they should feel free to cc me at cdibona@google.com. We appreciate your patience and we're sorry about the bug."

4 of 460 comments (clear)

  1. Security Category in Gmail Bugs List? by dolo666 · · Score: 5, Informative

    Is it just me or do you find it strange that in the list of known Gmail bugs, there is no catagory for Security? I'm trying to find out if this bug is one of the known bugs, but I'm guessing it's not? And I'm also guessing that Security is not a concern for Google at this point, which is a very bad thing, IMHO. People are relying on Gmail because of its awesome features, but if someone can read insecured data directly from memory, it's a really big problem -- perhaps even a global design flaw of the system. No wonder Google plays their cards so close to their chest... I just hope they take some amazing measures to prevent these types of bugs in the future... like when somone does >>> or >>>> etc...

    I use Gmail and this bug sort of disturbs me. Aren't they using a proper preg check to see if the fields are enclosed with < > ? I'm not even sure how this bug could exist in any normal computing system. I guess the gmail system is a hybrid of some kind? This is indeed very telling...

    But it doesn't make me want to stop using Gmail. It's a random security breech that looks like they could fix it in an hour if they wanted to. Time to stop checking my email for a while until this is fixed...

  2. Email isn't secure by krog · · Score: 5, Informative

    and should never be treated as such. If you want security, use strong encryption.

    This is as it was 10 years ago, 5 years ago, now, and in the future. Plaintext should be treated as though you were sending a postcard in the mail.

    --
    Cretin - a powerful and flexible CD reencoder
  3. Re:Newsflash by Country_hacker · · Score: 5, Informative

    Looks to me like they already fixed it, I tried sending an email without putting the end bracket on the address (Just like the guys in TFA) and it popped an error message. Those guys at Google are on the ball today. :-)

    --
    Never give any object more potential energy than you want it to have.
  4. Re:All email is vulnerable. by Carthag · · Score: 4, Informative

    This exploit uses a flaw in Google's code that allows viewing of memory on Google's servers. Hardly an inherent flaw in email as such.