Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Messages Are Vulnerable To Interception

Posted by timothy on from the top-men-are-working-on-it-top-men dept.

Michael Wally writes "GMail messages are vulnerable to interception. An attacker has only to transmit malformed test messages to himself, and information left over in memory, from previous messages destined for other people, will appear with the test messages, in the attacker's inbox. Sometimes, this information may include usernames and passwords... Do you use GMail? Are your communications private? Should they be? Well, here's what we figured out about the issue, that may or may not help you - or perhaps GMail, if anyone can get ahold of their developers, to tell them about it." Update: 01/12 22:21 GMT by T : Good news for Gmail users; those malformed messages are no longer being accepted; read below for a message from Chris DiBona.

chrisd writes "Just so you know, at 10:15am PST mails with the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous emails that had this problem will also no longer will be accessible. If you don't mind, I'd like to take the time to remind Slashdot readers that they can send bugs that may have a security aspect into security@google.com. If they like, they should feel free to cc me at cdibona@google.com. We appreciate your patience and we're sorry about the bug."

16 of 460 comments (clear)

  1. One Key Word by wcitechnologies · · Score: 5, Insightful
    BETA. It is unlike google to release half-assed web services. Keep in mind GMail is still being offered as a preview, you can't even sign up unless you know somebody else who has it.

    Google will work out the kinks, they always do.

    --
    Electrons are free; it is moving them that becomes expensive.
    1. Re:One Key Word by MightyMartian · · Score: 4, Insightful

      > Google will work out the kinks, they always do.

      Let me know when they fix the disaster known as Google Groups 2. They've buggered up a ton of archive references, and don't exactly seem to responding in a stellar fashion to the problems.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:One Key Word by the_mad_poster · · Score: 3, Insightful

      Agreed.

      Not only that, as always, e-mail from one network to another across unknown intermediaries is not private. It travels on public wires across public networks. If there's a value in someone targetting you and you're not technically competent enough to know you shouldn't use gmail for important discussions, they can just snap a packet sniffer onto your gateway and watch everything you send and receive right at the source with little fuss and no muss.

      First thing's first: you ought not be relying on generated passwords that come in an e-mail. You get it, you change it, that's that.

      Second thing: it's called encryption, m'friends. It doesn't matter what's in the envelope when a bad guy intercepts it if he can't open it.

      --
      Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
    3. Re:One Key Word by phats+garage · · Score: 5, Insightful
      I disagree.

      I know that its everyones darling, Google, but its not any less of a privacy spilling bug. Look at everyone who jumped on gmail already. Look at the bug itself, their servers trust the email client to terminate a string.

      Never trust an internet client to provide properly formatted strings. Google blew it. (Besides, they're on my bad list for screwing up the usenet archives anyways, they're turning evil.)

  2. Beta.. by ackthpt · · Score: 5, Insightful
    Beta...beta... Golly, I wonder what that means.

    Oh, sure, it means ready to be shipped/used in production by some companies, but has that line gotten to fuzzy for some people?

    "that's not a feature, that's a bug"

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:Beta.. by ad0gg · · Score: 4, Insightful

      news.google.com has been in beta for 3 years now. Same with google groups, same with froogle. Pretty much the only thing that google hasn't labeled beta is their main search engine.

      --

      Have you ever been to a turkish prison?

  3. Re:Security Category in Gmail Bugs List? by TrippTDF · · Score: 4, Insightful

    This is just a shot in the dark, but I'm willing to bet Google left Security off the list on purpose. a security flaw becomes a lot harder to exploit if the general public does not know it is there.

    I don't hold this against Google at all. I'm glad they are not telling the world how to break into my account...

  4. Newsflash by hackstraw · · Score: 4, Insightful

    Speaking loudly in a public place can be intercepted!

    Although this appears to be a valid bug in GMail (that is still beta mind you, and will probably be fixed very quickly), who in the world considers plain text communication secure?

    I have no idea who at my ISP has root access (or others that can gain root access) to read my plaintext mailbox.

    Nothing to see here... please move along.

  5. Re:Security Category in Gmail Bugs List? by PhilHibbs · · Score: 4, Insightful

    What do you mean, "I'm not even sure how this bug could exist in any normal computing system"? Buffer overruns are everywhere. Although the classic buffer overrun involves getting the app to write beyond the buffer's bounds and into the stack, this one is getting it to read beyond the point that it should. Unless the system has memory protection built in (and that is only possible on very recent processors) then this is entirely unsurprising. "Some kind of hybrid"? You're not making sense.

  6. GMail vs Hotmail by kevin_conaway · · Score: 4, Insightful

    Why is everyone brushing this off by saying "well you should have known that email isnt secure, tough luck!"

    If Hotmail had this bug, everyone here would be up in arms.

    Just because email isnt secure doesnt mean this isn't serious. I would hate to think of all the people reading my responses to craigslist postings :)

  7. SPAM! by knitterb · · Score: 3, Insightful

    Chances are, since most email these days are spam, an attacker is going to have to go through a lot of spam before finding something interesting.

    --
    -bk
  8. This was more about their 15 minutes than Google. by EvilFrog · · Score: 5, Insightful

    Many other people have pointed out that GMail is still in beta, and that if they would have told Google first it probably would have gotten quietly fixed without any damage being done.

    Of course, they acknowledge that, but they're arguing that they're helping protect people by making them aware of the problem.

    I call bullshit. This is about them wanting recognition for finding the bug. If they would have sent it to Google, it would have been fixed and no one would care who discovered it. Because they went public with it they can boast that they were the ones who found the bug.

    Of course, it swings both ways. Now if someone uses this exploit and steals your password (which is honestly rather unlikely), you know who to blame for making it public knowledge before Google had the chance to fix it.

  9. Broken XML by Glonoinha · · Score: 3, Insightful

    Jesus - am I the only one to recognize this bug?
    This is just the most publicly seen instance but broken XML does this every single day.

    Use the greater than and less than signs as data delimiters in the 'next generation' of data encoding (XML)? WTF were they thinking?

    I'm not 100% they are using true XML but from the looks of it if they aren't they are using a home-built XML wanna-be and - well it looks like I was right a few years ago when I (unsuccessfully) campaigned against doing it that way. Not that I campaigned very loud, as I am basically a nobody.

    --
    Glonoinha the MebiByte Slayer
  10. Hacker Hubris by Jtheletter · · Score: 4, Insightful
    Wow, are these guys full of themselves. I write complex automation code for a living, in an environment that demands rigorous QA practices and documentation, but guess what? We still create bugs, find latent bugs that have gone undiscovered for many builds, and even get some real DUH! headslappers from time to time. Fact of the matter is, when you've got a couple hundred thousand lines of code there are going to be errors and unintended consequences, mostly arising out of missed checks, such as this gmail problem (assuming they're right about the end tag check being the cause).

    For these people to find a single issue in such a system, then say it's a shortcoming of gmail's QA process, and in the same breath ask for work - implying they've got the skills to even handle such a job - is insulting. Please, just because you're smart enough to expose a flaw once you stumbled onto it in no way means you are qualified to correct that or any other issue. Sometimes our QA team finds a flaw and even digs in the logs enough to pinpoint the problem but it can still take the developer who designed the code days to correct.

    In other words, noticing that you're bleeding does not qualify you as a surgeon. Instead of publishing their finidings in a detailed how-to, these asshats should have forwarded the info to gmail and let them deal with it, and that's assuming that the gmail team didn't already have it in their list of bugs. I just don't understand why people feel the need to not only describe a security problem, but give every hacker on the net a roadmap as to just exactly how to use it and what illicit activity it might be good for.

    --
    -- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
  11. Re:Security Category in Gmail Bugs List? by isomeme · · Score: 4, Insightful

    People are always saying that, but it just isn't true. Relying only on obscurity for security is probably a bad idea, but as part of a complete security solution, it can be very helpful.

    People will not successfully exploit a vulnerability they do not know about, or attack a system they do not know is there. Even if some fraction of people are in the know, you've reduced your potential attacker count by the fraction of them who are not in the know.

    --
    When all you have is a hammer, everything looks like a skull.
  12. A Job? by jayloden · · Score: 5, Insightful

    lots of comments here are noting the hubris of these guys in asking for jobs.

    I'd just like to add that not only are they criticizing the company's QA process and releasing the bug without having notified google first, as others pointed out...

    They found the exploit by MISTAKE! It was a bug in their own code that caused the problem, something as stupid as a missing caret at the end of a line. So, in other words, they are looking for work looking for bugs in Google's software that they found solely because of a bug in the software they wrote.

    On another note, bugs in software happen, no matter WHO you are, the trick is just to be able to fix them in a timely fashion and deal with the situation effectively. I believe that Google will do this, especially if the previous comment stating that it has been patched is true. Everyone is making too big a deal out of something that has happened to every developer on every software ever. The reason MS gets crap for it is simply because they continuously produce buggy code ridden with security issues, but deny this is the case, and often ignore security problems until they are found out by the general public.

    -Jay