Gmail Messages Are Vulnerable To Interception

Michael Wally writes "GMail messages are vulnerable to interception. An attacker has only to transmit malformed test messages to himself, and information left over in memory, from previous messages destined for other people, will appear with the test messages, in the attacker's inbox. Sometimes, this information may include usernames and passwords... Do you use GMail? Are your communications private? Should they be? Well, here's what we figured out about the issue, that may or may not help you - or perhaps GMail, if anyone can get ahold of their developers, to tell them about it." Update: 01/12 22:21 GMT by T : Good news for Gmail users; those malformed messages are no longer being accepted; read below for a message from Chris DiBona.

chrisd writes "Just so you know, at 10:15am PST mails with the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous emails that had this problem will also no longer will be accessible. If you don't mind, I'd like to take the time to remind Slashdot readers that they can send bugs that may have a security aspect into security@google.com. If they like, they should feel free to cc me at cdibona@google.com. We appreciate your patience and we're sorry about the bug."

One Key Word

[wcitechnologies]

BETA. It is unlike google to release half-assed web services. Keep in mind GMail is still being offered as a preview, you can't even sign up unless you know somebody else who has it.

Google will work out the kinks, they always do.

Re:One Key Word

[MightyMartian]

> Google will work out the kinks, they always do.

Let me know when they fix the disaster known as Google Groups 2. They've buggered up a ton of archive references, and don't exactly seem to responding in a stellar fashion to the problems.

Re:One Key Word

[the_mad_poster]

Agreed.

Not only that, as always, e-mail from one network to another across unknown intermediaries is not private. It travels on public wires across public networks. If there's a value in someone targetting you and you're not technically competent enough to know you shouldn't use gmail for important discussions, they can just snap a packet sniffer onto your gateway and watch everything you send and receive right at the source with little fuss and no muss.

First thing's first: you ought not be relying on generated passwords that come in an e-mail. You get it, you change it, that's that.

Second thing: it's called encryption, m'friends. It doesn't matter what's in the envelope when a bad guy intercepts it if he can't open it.

Re:One Key Word

[phats+garage]

I disagree.

I know that its everyones darling, Google, but its not any less of a privacy spilling bug. Look at everyone who jumped on gmail already. Look at the bug itself, their servers trust the email client to terminate a string.

Never trust an internet client to provide properly formatted strings. Google blew it. (Besides, they're on my bad list for screwing up the usenet archives anyways, they're turning evil.)

Beta..

[ackthpt]

Beta...beta... Golly, I wonder what that means.

Oh, sure, it means ready to be shipped/used in production by some companies, but has that line gotten to fuzzy for some people?

"that's not a feature, that's a bug"

Re:Beta..

[ackthpt]

yes, it's a beta... but shouldn't beta be a functional version being tested for bugs?

Certainly, and as a Gmail user you should view your use of Gmail as evaluation, not something you depend upon for any critical application.

if my email and/or account can be compromised, in a way that cripples its basic functionality as an email service, i am not sure if you can call it a "beta" to begin with. how do you work out bugs in the program if it can't be trusted to function as intended at the very basic level?

You have the sense that it's experimental and don't rely on it for anything critical. Get another email service which isn't Beta for anything requiring security/reliability. I'm sure Google has the terms somewhere, which state something along the lines of "user accepts all risk" and "Google shall not be held responsible for" That's a pretty good indication you're depending on something you shouldn't.

if a beta version of a photoshop, as an example, couldn't even reliably open a JPEG file, that's a serious problem i'd be unwilling to dismiss simply as a "bug" just because "it's a beta."

Sure, but BETA means 'not ready for production' If you bought the production version of Photoshop and it left artifacts in your work, you have an issue with the company. Artifacts in Beta should not be unexpected and the role of the user is not to complain about it, but to point the bug out to the developer, after all using BETA software is intended to be testing and evaluating.

Re:Beta..

[ad0gg]

news.google.com has been in beta for 3 years now. Same with google groups, same with froogle. Pretty much the only thing that google hasn't labeled beta is their main search engine.

Re:Beta..

[OmnipotentEntity]

What again about GMail on "a very basic level" is not functional?

It does have bugs. It's in beta and it has bugs. I honestly don't see where this is even news.

if a beta version of a photoshop, as an example, couldn't even reliably open a JPEG file, that's a serious problem i'd be unwilling to dismiss simply as a "bug" just because "it's a beta."

That metaphor is flawed. A better one would be, "If a beta version of Photoshop couldn't open a JPEG with a bad header reliably, it's a serious problem." And, AFAIK, you can't open a JPEG in Photoshop if it has a corrupt header.

if my email and/or account can be compromised

If you're worried about security use PGP first. There are easier ways to intercept email than this. This doesn't really do anything in the way of decreasing security, all it says is "Hey look, someone at Google forgot a conditional." And it'll probably be fixed tomarrow. GMail is loads more stable than most programs in beta. Get rid of your unrealistic expectations. Nothing is bullet proof.

Well...

[grub]

Yeah, it's a potential privacy breach. That said, using a web-based email system for top secret or potentially embarassing mail is pretty dumb. You get what you pay for, gmail is no different. (nb: I'm a happy gmail user)

Re:Security Category in Gmail Bugs List?

[TrippTDF]

This is just a shot in the dark, but I'm willing to bet Google left Security off the list on purpose. a security flaw becomes a lot harder to exploit if the general public does not know it is there.

I don't hold this against Google at all. I'm glad they are not telling the world how to break into my account...

Newsflash

[hackstraw]

Speaking loudly in a public place can be intercepted!

Although this appears to be a valid bug in GMail (that is still beta mind you, and will probably be fixed very quickly), who in the world considers plain text communication secure?

I have no idea who at my ISP has root access (or others that can gain root access) to read my plaintext mailbox.

Nothing to see here... please move along.

You mean there is a server-side bug in GMail

[Idaho]

From the description, the way you can read messages of other people has nothing to do with 'intercepting' messages. Man in the middle attacks are always possible, but this looks like a simple serverside bug (buffer overflow or string formatting problem, most likely) which will probably be fixed on short notice.

I don't think you can do directed attacks either (e.g. 'intercept' only the mail of a specific target). So I think it's not a real showstopper.

Still, it shows that even Google can make mistakes in their code...who would have thought! ;)

Re:Security Category in Gmail Bugs List?

[Eric+Giguere]

I'm not even sure how this bug could exist in any normal computing system.

It happens the same way that many (most?) bugs happen -- the human programmer forgot to check for boundary conditions in the data interpretation. As the old saying goes, "garbage in, garbage out" -- if you don't validate your data, you may be surprised at the results you'll get. Here the result is that it's exposing someone else's message to you. But it's not that surprising.

These things usually boil down to human error and incorrect assumptions. Nothing new here.

Eric
Why is William Shatner on my box of All-Bran?

Well...

[slavemowgli]

Serious as it may be, this does not allow you to selectively attack a specific person or account - you just have to "hope for the best", so to speak. While I wouldn't underrate it (is that a word?), I wouldn't overrate it, either, and I'm pretty sure that the Google people will plug this in no time. It's been my experience that they do look at reports that are coming in (just like they claim), and that they are generally quite quick to fix even minor issues, so something that is security-related *and* (by the sounds of it) easily fixable shouldn't last long.

That being said, did the authors actually contact Google about this prior to making the whole thing public? Full disclosure is good, of course, but it's also nice to give the vendor a chance to fix things before you inform every script kiddie in the world about what you found. :)

Re:Security Category in Gmail Bugs List?

[PhilHibbs]

What do you mean, "I'm not even sure how this bug could exist in any normal computing system"? Buffer overruns are everywhere. Although the classic buffer overrun involves getting the app to write beyond the buffer's bounds and into the stack, this one is getting it to read beyond the point that it should. Unless the system has memory protection built in (and that is only possible on very recent processors) then this is entirely unsurprising. "Some kind of hybrid"? You're not making sense.

All email is vulnerable.

[pavon]

To everyone expressing concern about using gmail in light of this exploit - I hope you know that all email is vulnerable to interception. It is sent as plaintext across the internet, and hops though a dozen servers before ending up at it's final destination. This exploit is just another way to do something that has been possible by design ever since email was created.

If you want your email to be secure you have to encrypt it. Otherwise don't have any expectation for privacy.

GMail vs Hotmail

[kevin_conaway]

Why is everyone brushing this off by saying "well you should have known that email isnt secure, tough luck!"

If Hotmail had this bug, everyone here would be up in arms.

Just because email isnt secure doesnt mean this isn't serious. I would hate to think of all the people reading my responses to craigslist postings :)

Re:GMail vs Hotmail

[valkraider]

If you know that your product may well have serious bugs like this, you shouldn't have sent out a press release promoting its launch, you shouldn't have given away free accounts to thousands of Blogger users, you shouldn't allow people to fire off a bunch of invitations to anyone they choose, and you should make some indication on the website (beyond "BETA," not everyone who uses Google reads Slashdot) that there can be risks associated with using it.

Hmm. I wouldn't try Windows if I were you...

Re:Security Category in Gmail Bugs List?

[RealAlaskan]

a security flaw becomes a lot harder to exploit if the general public does not know it is there.

I don't really see what difference the general public makes. The general public isn't interested in exploiting security flaws, even if there is a pre-rolled application which makes it easy, because the general public isn't script kiddies.

If one bad guy who can write a script for the script kiddies finds out about this, then the general public is at risk, even if he never releases that script. The general public is never going to find security flaws on their own, because they aren't looking. The bad guys, on the other hand, are definitely going to be looking.

If some good guy finds out about this kind of thing, I'd say that means that the bad guys either already found out, or will soon. I think that the best thing that hypothetical good guy can do for me is publish the details fast, so the google people have to get cracking and fix it, and so I know that my messages are not private.

How would waiting until the bad guys to release an exploit to the script kiddies before you tell the world help me? It wouldn't!

Way to go, jerks.

[Canthros]

You did notify Google and give them a reasonable period to time in which to respond, right? Because you've just shouted, in the loudest possible way, how to access all that data you're so worried about protecting.

SPAM!

[knitterb]

Chances are, since most email these days are spam, an attacker is going to have to go through a lot of spam before finding something interesting.

This was more about their 15 minutes than Google.

[EvilFrog]

Many other people have pointed out that GMail is still in beta, and that if they would have told Google first it probably would have gotten quietly fixed without any damage being done.

Of course, they acknowledge that, but they're arguing that they're helping protect people by making them aware of the problem.

I call bullshit. This is about them wanting recognition for finding the bug. If they would have sent it to Google, it would have been fixed and no one would care who discovered it. Because they went public with it they can boast that they were the ones who found the bug.

Of course, it swings both ways. Now if someone uses this exploit and steals your password (which is honestly rather unlikely), you know who to blame for making it public knowledge before Google had the chance to fix it.

Re:A Darker Shade of Grey Hat

[a16]

It doesn't matter what colour hat you classify them as, or whether you personally are glad that you know gmail is insecure - and you are also somehow happy that every script kiddie now knows how to attack your account.

There is no excuse whatsoever for releasing something like this to the public, especially without notifying the service and giving a long enough period for them to fix it (IMO even going public then doesn't achieve anything). All that this achieves is self-glorification for the people finding the exploits, they even go as far to ask for jobs at google in this case. If people could stop thinking about getting their name attached to an exploit, and thinking about the benefits for all users of the service/software affected, we'd have a lot less scripts floating around for the script kiddies to click and run.

Broken XML

[Glonoinha]

Jesus - am I the only one to recognize this bug?
This is just the most publicly seen instance but broken XML does this every single day.

Use the greater than and less than signs as data delimiters in the 'next generation' of data encoding (XML)? WTF were they thinking?

I'm not 100% they are using true XML but from the looks of it if they aren't they are using a home-built XML wanna-be and - well it looks like I was right a few years ago when I (unsuccessfully) campaigned against doing it that way. Not that I campaigned very loud, as I am basically a nobody.

Re:Broken XML

[CK2004PA]

Gmail is BETA, you do know this correct?

For those of you who aren't familiar with IT lingo, Beta means not ready for mass consumption. Your trying our a new food or drug product. It may had adverse effects on you, including death.

Get over yourselves already. Gmail is a great client, it will have flaws, but I'm sure Google will fix them.

To critique Google, they should have some method for anonymously submitting security defects/flaws. Or non-anonymous for you attention whores.

Hacker Hubris

[Jtheletter]

Wow, are these guys full of themselves. I write complex automation code for a living, in an environment that demands rigorous QA practices and documentation, but guess what? We still create bugs, find latent bugs that have gone undiscovered for many builds, and even get some real DUH! headslappers from time to time. Fact of the matter is, when you've got a couple hundred thousand lines of code there are going to be errors and unintended consequences, mostly arising out of missed checks, such as this gmail problem (assuming they're right about the end tag check being the cause).

For these people to find a single issue in such a system, then say it's a shortcoming of gmail's QA process, and in the same breath ask for work - implying they've got the skills to even handle such a job - is insulting. Please, just because you're smart enough to expose a flaw once you stumbled onto it in no way means you are qualified to correct that or any other issue. Sometimes our QA team finds a flaw and even digs in the logs enough to pinpoint the problem but it can still take the developer who designed the code days to correct.

In other words, noticing that you're bleeding does not qualify you as a surgeon. Instead of publishing their finidings in a detailed how-to, these asshats should have forwarded the info to gmail and let them deal with it, and that's assuming that the gmail team didn't already have it in their list of bugs. I just don't understand why people feel the need to not only describe a security problem, but give every hacker on the net a roadmap as to just exactly how to use it and what illicit activity it might be good for.

Re:Hacker Hubris

[MrYowler]

Yaknow...

It's not as though I weren't professionally credentialled, myself. I do have a CISSP and Cisco credentials - I just don't wave them around like badges of honor. I worked as a network programmer for guys like Inktomi (now Yahoo) and WebTV (now MSNBC) for several years, after starting two of my own very successful telecommunications service companies. That things went south for me, during the crash of the Internet economy, does not mean that you are somehow superior - just that you were lucky. Or perhaps young.

To demonstrate system complexity; I worked for the US Air Force, writing code to perform gamma spectral analysis in a nuclear chemistry laboratory, at one time. As for qualifications; I have worked for two organizations on high-capacity email systems; WebTV (now MSNBC) is one of them. I have ten years of college, 20 years of professional experience in various information technology roles, and a wealth of paper credentials.

I *do* have the experience and intelligence to both assess and correct the problem, and I was fairly certain that GMail would be capable of correcting the problem in sort order, if/when they chose to do so. And while I'd love to work there; no, I don't seriously expect this report to get me hired. There is a little more to the interview process than that, I suspect... ;-P

It *is* possible that the person who sees that you're bleeding - he just *might* be a surgeon.

You are guilty of the same assumptions that you accuse us of. You have assumed that we are a couple of ignorant fools who stumbled onto something, and you are degrading us for having the arrogance to publicly report on it. You further assume that we did not attempt to privately report on it.

The fact is that we tried. We could not find a reporting channel that elicited an apparent response, and so (with much needling and pushing from NSA Wally) we reported on it, somewhat more publicly. I frankly did not think that anyone but NSA Wally and I would even give a damn. And indeed, no one would have, except that we provided a detailed roadmap to the vulnerability. In fact, I seriously doubt that we would have gotten anywhere with the article, if NSA Wally had not happened to run across a username/password pair, in one of the messages that he intercepted.

And while I realize that our use of handles gives rise to the immediate assumption that we are '3v1l h4x0r5', the fact is that we like our privacy, and the psuedonyms serve to help us maintain it. You'll have to ask NSA Wally why he needled me into writing the article, or why has the name that he does. I think the latter has something to do with a bunch of people accusing him of being a member of federal law enforcement. I think that he did not want to argue the case. The former, I could not even speculate - but I'm not fond of arguing, either, and the article did not require much effort to write.

I seriously doubt that we were the first people to find the problem - more probably, we were just the first to bring attention to it. GMail accounts may have been being compromised in this way, for who knows how long - and this information used to compromise eBay/PayPal accounts, Amazon.com accounts (and the financial data that they retain for customer 'convenience'), and who knows what else. It is a fundamental fact of information security policy development, that such policies are designed to protect the organization that creates them - not necessarily the users, vendors, employees, or affiliates of the organization. If you publicly report on these issues, when you find them, then yes, there will be some abuse by the script-kiddies who hear about it. But the issue also suddenly becomes important, and resolution is usually rapidly forthcoming, because the problem is now high-profile. If you don't report on it, it may remain unknown to the folks who fix these things, or it may remain low-priority, because it does not represent a risk to the organization responsible for fix

Re:Client side contamination between accounts

one cookie in one browser, no wonder your system showed the same data.

Re:Well hey..

[Shafik]

Long Term Capital Managment had Nobel Prize winners doing their risk management and look where that ended, a nice multi-billion dollar tax-payer funded bail-out:

LTCM, a hedge fund above suspicion
Wikipedia entry

Re:Security Category in Gmail Bugs List?

[isomeme]

People are always saying that, but it just isn't true. Relying only on obscurity for security is probably a bad idea, but as part of a complete security solution, it can be very helpful.

People will not successfully exploit a vulnerability they do not know about, or attack a system they do not know is there. Even if some fraction of people are in the know, you've reduced your potential attacker count by the fraction of them who are not in the know.

A Job?

[jayloden]

lots of comments here are noting the hubris of these guys in asking for jobs.

I'd just like to add that not only are they criticizing the company's QA process and releasing the bug without having notified google first, as others pointed out...

They found the exploit by MISTAKE! It was a bug in their own code that caused the problem, something as stupid as a missing caret at the end of a line. So, in other words, they are looking for work looking for bugs in Google's software that they found solely because of a bug in the software they wrote.

On another note, bugs in software happen, no matter WHO you are, the trick is just to be able to fix them in a timely fashion and deal with the situation effectively. I believe that Google will do this, especially if the previous comment stating that it has been patched is true. Everyone is making too big a deal out of something that has happened to every developer on every software ever. The reason MS gets crap for it is simply because they continuously produce buggy code ridden with security issues, but deny this is the case, and often ignore security problems until they are found out by the general public.

-Jay

Google not receiving?

[everythingischanging]

I haven't been able to receive any gmails for a half hour or so... maybe they've disabled incoming messages until they've sorted this all out?

Not broken XML at all

[JimDabell]

This is just the most publicly seen instance but broken XML does this every single day.

XML never does this. XML parsers, upon finding a problem must stop parsing and throw a fatal error. It's in the specification.

Instead of mindlessly knee-jerking because you don't like XML, try reading the article. The greater-than symbol that causes problems is the delimiter for the email address - syntax that goes back to 1982's RFC 822 - long before XML's time.