Slashdot Mirror
Gmail Messages Are Vulnerable To Interception
Michael Wally writes "GMail messages are vulnerable to interception. An attacker has only to transmit malformed test messages to himself, and information left over in memory, from previous messages destined for other people, will appear with the test messages, in the attacker's inbox. Sometimes, this information may include usernames and passwords... Do you use GMail? Are your communications private? Should they be? Well, here's what we figured out about the issue, that may or may not help you - or perhaps GMail, if anyone can get ahold of their developers, to tell them about it." Update: 01/12 22:21 GMT by T : Good news for Gmail users; those malformed messages are no longer being accepted; read below for a message from Chris DiBona.
chrisd writes "Just so you know, at 10:15am PST mails with the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous emails that had this problem will also no longer will be accessible. If you don't mind, I'd like to take the time to remind Slashdot readers that they can send bugs that may have a security aspect into security@google.com. If they like, they should feel free to cc me at cdibona@google.com. We appreciate your patience and we're sorry about the bug."
Google will work out the kinks, they always do.
Electrons are free; it is moving them that becomes expensive.
Oh, sure, it means ready to be shipped/used in production by some companies, but has that line gotten to fuzzy for some people?
"that's not a feature, that's a bug"
A feeling of having made the same mistake before: Deja Foobar
Many other people have pointed out that GMail is still in beta, and that if they would have told Google first it probably would have gotten quietly fixed without any damage being done.
Of course, they acknowledge that, but they're arguing that they're helping protect people by making them aware of the problem.
I call bullshit. This is about them wanting recognition for finding the bug. If they would have sent it to Google, it would have been fixed and no one would care who discovered it. Because they went public with it they can boast that they were the ones who found the bug.
Of course, it swings both ways. Now if someone uses this exploit and steals your password (which is honestly rather unlikely), you know who to blame for making it public knowledge before Google had the chance to fix it.
lots of comments here are noting the hubris of these guys in asking for jobs.
I'd just like to add that not only are they criticizing the company's QA process and releasing the bug without having notified google first, as others pointed out...
They found the exploit by MISTAKE! It was a bug in their own code that caused the problem, something as stupid as a missing caret at the end of a line. So, in other words, they are looking for work looking for bugs in Google's software that they found solely because of a bug in the software they wrote.
On another note, bugs in software happen, no matter WHO you are, the trick is just to be able to fix them in a timely fashion and deal with the situation effectively. I believe that Google will do this, especially if the previous comment stating that it has been patched is true. Everyone is making too big a deal out of something that has happened to every developer on every software ever. The reason MS gets crap for it is simply because they continuously produce buggy code ridden with security issues, but deny this is the case, and often ignore security problems until they are found out by the general public.
-Jay