Slashdot Mirror
Gmail Messages Are Vulnerable To Interception
Michael Wally writes "GMail messages are vulnerable to interception. An attacker has only to transmit malformed test messages to himself, and information left over in memory, from previous messages destined for other people, will appear with the test messages, in the attacker's inbox. Sometimes, this information may include usernames and passwords... Do you use GMail? Are your communications private? Should they be? Well, here's what we figured out about the issue, that may or may not help you - or perhaps GMail, if anyone can get ahold of their developers, to tell them about it." Update: 01/12 22:21 GMT by T : Good news for Gmail users; those malformed messages are no longer being accepted; read below for a message from Chris DiBona.
chrisd writes "Just so you know, at 10:15am PST mails with the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous emails that had this problem will also no longer will be accessible. If you don't mind, I'd like to take the time to remind Slashdot readers that they can send bugs that may have a security aspect into security@google.com. If they like, they should feel free to cc me at cdibona@google.com. We appreciate your patience and we're sorry about the bug."
Security exploits are a serious matter, and they need to be handled properly. Throwing this kind of thing out in the open willy-nilly is, at best, irresponsible. For one, it means that Google must now rush a fix for something which may have already been in the bugfix queue; rush jobs can disrupt the entire project and increases the odds of human error--which can lead to unnecessary security vulnerabilities.
As for these guys getting hired by Google--being smarmy twits about Google's code review practices probably isn't gonna help their case any. Shame, because a little tact and professional courtesy would have given them a damn good running start at it...
Obliteracy: Words with explosions
Even though GMail is still being offered as a preview, there seem to be more invites then there are people willing to sign up, in my experience. Basically, in my opinion, if you want an account it isn't too hard to get one nowadays
And while GMail is still in Beta, it is still a widespread and widely used email service. So, while I can understand that there are still bugs in the service which Gmail could iron out without too much trouble, I would disagree with people who underestimate the severity of those bugs, and their implications, simply because Gmail hasn't reached final status.
I'm not stressed. I'm just terribly, terribly alert.
sending my own malformed message, but I didn't see any extra info in the headers....
I tried to exploit it, but it appears to be fixed...
The strangest thing happened to me when using gmail a few weeks ago. First I tried to send an .exe file, and of course gmail told me, "you're not allowed to send .exe files". So I changed the file extension and still got the same response somehow. Ok, then it gets weird: .exe file somehow!
I figured I could hide it in a zip file so gmail wouldn't notice, and it still tells me I can't send an exe file!, then I encrypt the zip file, figuring there would be no way gmail could see what's inside, and it still finds the
It really felt invasive to me to think that google is looking inside my encrypted zip files. I sent them a letter but never heard anything back.
Does anyone have any insight into this? If you don't believe me, try it for yourself.
As I said in another post yesterday. We can never expect to be secure without full disclosure at every turn. Bring pressure to bear upon the developers, whether it's Microsoft or Google or Linus of the BSD coding corpses, whenever there is a vulnerability. Keeping it a secret only protects the black hats.
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I have two gmail accounts (I'm evil). I tried to open both simultaneously in separate Firefox tabs. A short time after opening the second tab / account, I switched back to the first, to find the inbox listing the messages from the second account. Refreshing the page brought the entire page display to reflect the second account.
I've also witnessed on at least one occasion an https session surviving overnight, with the POTS connection severed during this time.
These experiences have already led me to consider gmail less than secure.
The Google people are very, positively imaginative and creative. But they are not, at least not at first pass, all seeing. There are details to security that require some grinding detail and a lot of testing. A good language and a smart approach can lessen the grunt work, but a significant amount is still necessary.
I think people haven't come down on Google like they do on MS because, in large part, Google is straight forward and direct in its communications and its intentions. And when a bug pops its head, they consider it a personal priority to correct it. Not just a business priority, based upon cost/benefit, but also the PERSONAL priority of those at Google who are involved in the issue.
I hope they'll fix this quickly, and take a good, hard look at their server and session management. Looks like there's a serious need for better compartmentalization, and for data scope management.
Speaking of which; how many years was ICQ in Beta?
The more you know, the less you need. [Admin added: from me.]
well after trying this out for myself, it appears google isn't delivering any mail (at least to my inbox) at the moment. after sending about 20 emails, half valid, half tesing the missing '>'. After 20 minutes, none of the 20 have reached my inbox.
That depends entirely on the context.
....
The lock on a vault generally relies entirely on obscurity to obtain its security. You can't see how the cams are turning inside of the lock so you can't open it unless you know the combination. If you do know the combination, you can open the lock within a minute or so. If someone invents magic X-ray eye glasses that could see through the steel, then the standard mechanical combination lock would be useless.
The question at that point becomes how likely is it that this would ever happen?
In the case of a steel vault door, I submit it's fairly unlikely. In the case of a computer security scheme, on the other hand,
If you're a zombie and you know it, bite your friend!
I'm all for full disclosure in public software. But gmail and other web services aren't public software.
Full disclosure has a purpose: to educate users/admins in order to prevent damage to them. It should not be goal in itself.
In case of proprietary software running on a machine nobody but the developer has access to, why bother. It's not as if the users run more risk if FD isn't practiced. Au contraire.
The only reason I can think of that would warrant FD, is when you want to keep tabs on the developer, because you don't trust them. In that case, find another service provider.
the pun is mightier than the sword
I'm assuming this is until the problem is fixed:
"APPLICATION" 516 "2005-01-12 20:01:48" "SMTPDeliverer - Message 15213: Delivering message from xxxxxxxxx@xxxxx.com to xxxxx@gmail.com."
"TCPIP" 516 "2005-01-12 20:01:48" "DNSResolver - MX Lookup: gmail.com"
"TCPIP" 516 "2005-01-12 20:01:48" "DNSResolver - MX Lookup result for gmail.com: 3 servers"
"APPLICATION" 516 "2005-01-12 20:02:09" "SMTPDeliverer - Message 15213: Failed to connect to gsmtp185.google.com."
"APPLICATION" 516 "2005-01-12 20:02:30" "SMTPDeliverer - Message 15213: Failed to connect to gsmtp171.google.com."
"APPLICATION" 516 "2005-01-12 20:02:51" "SMTPDeliverer - Message 15213: Failed to connect to gsmtp57.google.com."
"APPLICATION" 516 "2005-01-12 20:03:13" "SMTPDeliverer - Message 15213: Failed to connect to gmail.com."
"APPLICATION" 516 "2005-01-12 20:03:13" "SMTPDeliverer - Message 15213: Failed to connect to all xxxxx@gmail.com's mail servers."
Find Nearby Indie Events
The discoverers accidentally found a vulnerability. That sort of thing happens routinely. My point regards the wisdom of not widely advertising that vulnerability, on the theory that others are unlikely to encounter it on their own.
If you discover that I've left my car unlocked, I would much prefer that you not festoon it with a large orange banner saying "THIS CAR IS UNLOCKED".
When all you have is a hammer, everything looks like a skull.