Slashdot Mirror
Gmail Messages Are Vulnerable To Interception
Michael Wally writes "GMail messages are vulnerable to interception. An attacker has only to transmit malformed test messages to himself, and information left over in memory, from previous messages destined for other people, will appear with the test messages, in the attacker's inbox. Sometimes, this information may include usernames and passwords... Do you use GMail? Are your communications private? Should they be? Well, here's what we figured out about the issue, that may or may not help you - or perhaps GMail, if anyone can get ahold of their developers, to tell them about it." Update: 01/12 22:21 GMT by T : Good news for Gmail users; those malformed messages are no longer being accepted; read below for a message from Chris DiBona.
chrisd writes "Just so you know, at 10:15am PST mails with the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous emails that had this problem will also no longer will be accessible. If you don't mind, I'd like to take the time to remind Slashdot readers that they can send bugs that may have a security aspect into security@google.com. If they like, they should feel free to cc me at cdibona@google.com. We appreciate your patience and we're sorry about the bug."
Did any of this "left over" information happen to be spurious commas?
Is it just me or do you find it strange that in the list of known Gmail bugs, there is no catagory for Security? I'm trying to find out if this bug is one of the known bugs, but I'm guessing it's not? And I'm also guessing that Security is not a concern for Google at this point, which is a very bad thing, IMHO. People are relying on Gmail because of its awesome features, but if someone can read insecured data directly from memory, it's a really big problem -- perhaps even a global design flaw of the system. No wonder Google plays their cards so close to their chest... I just hope they take some amazing measures to prevent these types of bugs in the future... like when somone does >>> or >>>> etc...
I use Gmail and this bug sort of disturbs me. Aren't they using a proper preg check to see if the fields are enclosed with < > ? I'm not even sure how this bug could exist in any normal computing system. I guess the gmail system is a hybrid of some kind? This is indeed very telling...
But it doesn't make me want to stop using Gmail. It's a random security breech that looks like they could fix it in an hour if they wanted to. Time to stop checking my email for a while until this is fixed...
Google will work out the kinks, they always do.
Electrons are free; it is moving them that becomes expensive.
Oh, sure, it means ready to be shipped/used in production by some companies, but has that line gotten to fuzzy for some people?
"that's not a feature, that's a bug"
A feeling of having made the same mistake before: Deja Foobar
and should never be treated as such. If you want security, use strong encryption.
This is as it was 10 years ago, 5 years ago, now, and in the future. Plaintext should be treated as though you were sending a postcard in the mail.
Cretin - a powerful and flexible CD reencoder
Security exploits are a serious matter, and they need to be handled properly. Throwing this kind of thing out in the open willy-nilly is, at best, irresponsible. For one, it means that Google must now rush a fix for something which may have already been in the bugfix queue; rush jobs can disrupt the entire project and increases the odds of human error--which can lead to unnecessary security vulnerabilities.
As for these guys getting hired by Google--being smarmy twits about Google's code review practices probably isn't gonna help their case any. Shame, because a little tact and professional courtesy would have given them a damn good running start at it...
Obliteracy: Words with explosions
Yeah, it's a potential privacy breach. That said, using a web-based email system for top secret or potentially embarassing mail is pretty dumb. You get what you pay for, gmail is no different. (nb: I'm a happy gmail user)
Trolling is a art,
Comment removed based on user account deletion
Speaking loudly in a public place can be intercepted!
Although this appears to be a valid bug in GMail (that is still beta mind you, and will probably be fixed very quickly), who in the world considers plain text communication secure?
I have no idea who at my ISP has root access (or others that can gain root access) to read my plaintext mailbox.
Nothing to see here... please move along.
Google = best & brightest, right?
I mean, their aptitude tests & hiring policies makes me believe they've got a few nobel prize winners working there..
Shouldn't they be able to fix this during lunch break?
From the description, the way you can read messages of other people has nothing to do with 'intercepting' messages. Man in the middle attacks are always possible, but this looks like a simple serverside bug (buffer overflow or string formatting problem, most likely) which will probably be fixed on short notice.
;)
I don't think you can do directed attacks either (e.g. 'intercept' only the mail of a specific target). So I think it's not a real showstopper.
Still, it shows that even Google can make mistakes in their code...who would have thought!
Every expression is true, for a given value of 'true'
now Google messes up...
with all the natural disasters happening, i cannot think of a good reason why the world wouldn't end the day after tomorrow.
Simple.
All you communications are belong to them.
Obliteracy: Words with explosions
Oh shit!
Couldn't they have notified Google first, before going public? Given them time to take action? I don't like the fact that my email is suddenly vulnerable now that everyone and their brother knows how to intercept gmail messages.
Serious as it may be, this does not allow you to selectively attack a specific person or account - you just have to "hope for the best", so to speak. While I wouldn't underrate it (is that a word?), I wouldn't overrate it, either, and I'm pretty sure that the Google people will plug this in no time. It's been my experience that they do look at reports that are coming in (just like they claim), and that they are generally quite quick to fix even minor issues, so something that is security-related *and* (by the sounds of it) easily fixable shouldn't last long.
:)
That being said, did the authors actually contact Google about this prior to making the whole thing public? Full disclosure is good, of course, but it's also nice to give the vendor a chance to fix things before you inform every script kiddie in the world about what you found.
quidquid latine dictum sit altum videtur.
So why put any text there? Sort of defeats the object... a bit like "This Page Intentionally Left Blank".
or my fav... "test message... please ignore" that you just _have_ to respond to...
I have sent you an Invitation.
Spelling mistakes: My is english spoken not tongue of mother.
Does anyone do this with MS, or do they post it on Slashdot so we can all laugh and make fun? It's the same thing weather you like the company or not.
To everyone expressing concern about using gmail in light of this exploit - I hope you know that all email is vulnerable to interception. It is sent as plaintext across the internet, and hops though a dozen servers before ending up at it's final destination. This exploit is just another way to do something that has been possible by design ever since email was created.
If you want your email to be secure you have to encrypt it. Otherwise don't have any expectation for privacy.
I'm ok with that too, as long as there is some indication that it is being looked at, and not just shoved under the rug.
Also, ISTR hearing about this bug a few months ago. If it's all over the net, chances are good it's getting some attention.
E-mail messages succeptable to interception!!
Why is everyone brushing this off by saying "well you should have known that email isnt secure, tough luck!"
:)
If Hotmail had this bug, everyone here would be up in arms.
Just because email isnt secure doesnt mean this isn't serious. I would hate to think of all the people reading my responses to craigslist postings
Are you communications private?
I don't even know where to start with this one!!!! Editors? You out there???
He's talking to the communications. Example:
"Are you guys ready?"
"Are you folks hungry?"
GMail messages are vulnerable to interception.
Can anyone name a form of message that isn't vulnerable to interception?
For more fun, check out how ebay's static and images server returs responses null-padded to 4KB boundaries (usually).
You did notify Google and give them a reasonable period to time in which to respond, right? Because you've just shouted, in the loudest possible way, how to access all that data you're so worried about protecting.
Canthros
Chances are, since most email these days are spam, an attacker is going to have to go through a lot of spam before finding something interesting.
-bk
A breech is a breach of Goatse proportions.
Glonoinha the MebiByte Slayer
sending my own malformed message, but I didn't see any extra info in the headers....
I tried to exploit it, but it appears to be fixed...
I think you have to solve a math problem first.
I already read about this in a newsletter that I received in the "Reply To" field of an email.
--
Was it the sheep climbing onto the altar, or the cattle lowing to be slain,
or the Son of God hanging dead and bloodied on a cross that told me this was a world condemned, but loved and bought with blood.
Many other people have pointed out that GMail is still in beta, and that if they would have told Google first it probably would have gotten quietly fixed without any damage being done.
Of course, they acknowledge that, but they're arguing that they're helping protect people by making them aware of the problem.
I call bullshit. This is about them wanting recognition for finding the bug. If they would have sent it to Google, it would have been fixed and no one would care who discovered it. Because they went public with it they can boast that they were the ones who found the bug.
Of course, it swings both ways. Now if someone uses this exploit and steals your password (which is honestly rather unlikely), you know who to blame for making it public knowledge before Google had the chance to fix it.
To which I would answer, "No, I am a communications major."
Q:How many libertarians does it take to stop a Panzer division? A:None. Obviously market forces will take care of it.
Guess what? The Emperor is Naked
This must be the most trivial, ridicuolus and dangeorus bug I have ever seen in an email system
Now everybody and their little sister will start creating these emails, it is trivial to do on a large scale, everybody is screwed, your only hope is that it will happen to someone else
stupid, stupid Google!
Need it be said: You get what you pay for.
Read any good sonnets lately?
Now if someone uses this exploit and steals your password (which is honestly rather unlikely), you know who to blame Who? The one who made the mistake or the one that found it? Heh.
..this effects the other person's email in any way? The only way to know would be for them to email the people whose email addresses they've cencored, and ask them to check those particular emails. I wonder if they may have gotten corrupted too due to this, before the buffers were flushed?
Jesus - am I the only one to recognize this bug?
This is just the most publicly seen instance but broken XML does this every single day.
Use the greater than and less than signs as data delimiters in the 'next generation' of data encoding (XML)? WTF were they thinking?
I'm not 100% they are using true XML but from the looks of it if they aren't they are using a home-built XML wanna-be and - well it looks like I was right a few years ago when I (unsuccessfully) campaigned against doing it that way. Not that I campaigned very loud, as I am basically a nobody.
Glonoinha the MebiByte Slayer
Instead of posting requests for Gmail accounts here (where they are offtopic). Use http://www.gmailswap.com/ [Gmail Swap] where they are very happy to give you an invite. Ignore any messages that want something in return, you can easily get an account for free.
When was the last time you even saw your postman, do you camp out at the mailbox? How much time do you spend in the back room at your local post office, how about the regional mail distribution center? Does your mailbox have a lock on it (some do), if not how do you know your neighbors aren't opening it up and taking a peek while you're at work?
Kind of off topic, but might as well give them away here.f bce-41a4dc0b1b 5 c12-936bc39037 6 450-b2a929bc15 d b1e-7df6129e51 1 f25-4a3c395b3c
http://gmail.google.com/gmail/a-2f47c4c506-34d0ab
http://gmail.google.com/gmail/a-2f47c4c506-709457
http://gmail.google.com/gmail/a-2f47c4c506-7193e2
http://gmail.google.com/gmail/a-2f47c4c506-a3a547
http://gmail.google.com/gmail/a-2f47c4c506-af561c
The strangest thing happened to me when using gmail a few weeks ago. First I tried to send an .exe file, and of course gmail told me, "you're not allowed to send .exe files". So I changed the file extension and still got the same response somehow. Ok, then it gets weird: .exe file somehow!
I figured I could hide it in a zip file so gmail wouldn't notice, and it still tells me I can't send an exe file!, then I encrypt the zip file, figuring there would be no way gmail could see what's inside, and it still finds the
It really felt invasive to me to think that google is looking inside my encrypted zip files. I sent them a letter but never heard anything back.
Does anyone have any insight into this? If you don't believe me, try it for yourself.
Wasn't the people at google wearing "I read your Email" T-Shirts at the Blackhat Conference?
Gee, I hope Gmail wasn't the secret service's plan B option for email use.7 50227&tid=172&tid=215&tid=158
http://yro.slashdot.org/article.pl?sid=05/01/12/0
"Beer is proof that God loves us and wants us to be happy - Benjamin Franklin"
Please send an gmail invite. the last one got intercepted...
For these people to find a single issue in such a system, then say it's a shortcoming of gmail's QA process, and in the same breath ask for work - implying they've got the skills to even handle such a job - is insulting. Please, just because you're smart enough to expose a flaw once you stumbled onto it in no way means you are qualified to correct that or any other issue. Sometimes our QA team finds a flaw and even digs in the logs enough to pinpoint the problem but it can still take the developer who designed the code days to correct.
In other words, noticing that you're bleeding does not qualify you as a surgeon. Instead of publishing their finidings in a detailed how-to, these asshats should have forwarded the info to gmail and let them deal with it, and that's assuming that the gmail team didn't already have it in their list of bugs. I just don't understand why people feel the need to not only describe a security problem, but give every hacker on the net a roadmap as to just exactly how to use it and what illicit activity it might be good for.
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
From what I read on the site you could protect your message from interception by placing a '>' character at the start of yout subject line or message body. If you are concerned about privacy use a > until they fix the bug.
Snowden and Manning are heroes.
At the bottom of TFA:
Screen Capture #5
Jack Rabbit Vibrator Features
This message describes the features of one "Jack Rabbit Vibrator," a 7.5" Multi-Speed toy of sorts.
What are the odds of finding that?
Gotta get me one of these!
I have two gmail accounts (I'm evil). I tried to open both simultaneously in separate Firefox tabs. A short time after opening the second tab / account, I switched back to the first, to find the inbox listing the messages from the second account. Refreshing the page brought the entire page display to reflect the second account.
I've also witnessed on at least one occasion an https session surviving overnight, with the POTS connection severed during this time.
These experiences have already led me to consider gmail less than secure.
The Google people are very, positively imaginative and creative. But they are not, at least not at first pass, all seeing. There are details to security that require some grinding detail and a lot of testing. A good language and a smart approach can lessen the grunt work, but a significant amount is still necessary.
I think people haven't come down on Google like they do on MS because, in large part, Google is straight forward and direct in its communications and its intentions. And when a bug pops its head, they consider it a personal priority to correct it. Not just a business priority, based upon cost/benefit, but also the PERSONAL priority of those at Google who are involved in the issue.
I hope they'll fix this quickly, and take a good, hard look at their server and session management. Looks like there's a serious need for better compartmentalization, and for data scope management.
Doesen't seem too bad to me. But I am just a foreinger...
[]'s Victor Bogado da Silva Lins
^[:wq
for 6usd a month one can find a reputable compnay to provide him wtih more than one mega of mail. thats like unlimited quota constrained by your wallet.
and to top it off, u get a bonus, space to put your own weblog too!
_ In Egypt Networks: Network Solutions with a Twist
NOTHING is secure. Everything on the net lasts forever. It can easily be intercepted, archived and screwed with in a hundred different places, and since it's around so long, eventually someone is going to figure out the encryption.
So if you are worried about your companies cooked books, your mistress and your assanitation plan being discovered--DON'T write Email about them!
Also, by the way, if it's that important: Don't post it in a chat room or BBS, even "Anonymously", don't write or type it anywhere, don't get drunk and brag about it to your co-workers and prey that you don't talk in your sleep.
There's the ads, remember?
:)
The real losers here are the advertisers if Google doesn't fix this thing.
Still, gmail is in BETA, has an INVITATION-based signing up scheme. And no software is bug-free.
Anyway, thankfully I don't keep private info on my spydermann.slashdot g-mail account
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
with all the natural disasters happening, i cannot think of a good reason why the world wouldn't end the day after tomorrow.
Because M$ will release a bug-free, easy to use operating system with reasonable licensing three days from now.
I stole this sig from someone cleverer than me.
I have already sent out all of my original invites to friends, and was recently given 10 more. If anyone wants them let me know.
"Insert Sig Here"
This exploit would be hardly interesting to a cracker. Suer it is a nasty bug, but it's too unpredictable to be useful. I mean, you can read -someone's- email, but not email of someone you're stalking or something like that. You may find a random piece of information, but there's no way you know what you find. With enough luck you can take over an account... of a stranger. The info could be sometimes used for malicious purposes, but it will in no way be profitable.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
OK so here's the vulnerability...
You send a malformed message, and you get some data remaining in the memory block. You can't control what account that data is from, it might or might not be something interesting to read and it might or might not contain sensitive data, etc. If you get lucky, someone using a single password at every site or a simply recognized pattern happens to have the one message that isn't spam in their buffer copied into your message so you can view it, you see their password, guess at the pattern and then have access to all of their data.
In the more likely case, you view their advertisement for v1agra.
If your code is acting bloated, and is running rather slow, it's likely and predicted that some loops you will unroll.
Last time I checked gmail invites were going for less than a dollar per on ebay. On linuxquestions.org there is a whole thread of messages offering invites for free. There are more offers than people who want them. Gmail used to be cool and exclusive, and some of the coolness was the exclusivity, but today, anyone who wants an invite can get one in about five minutes.
Personally, I have my own email server with 40+ gigs free in my own domain, which is better than any web based email. And I can grep my own email myself, without the ads, thanks anyway.
Mod down people who tell people how to mod in their sigs
I just read: "...you can't even sign up unless you know somebody else who has it"
however-to be fair, I've seen other postings like the parent on other discussion lists.
Just "Here's some GMail invites" and a list of URLs.
I like microcars
Of course, it swings both ways. Now if someone uses this exploit and steals your password (which is honestly rather unlikely), you know who to blame for making it public knowledge before Google had the chance to fix it.
Blame, or sue?
...spurious - I do not think it means what you think it means...
At least they won't be able to use any "sensitive information" against you. Confidentiality Notice The information transmitted in this e-mail is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this e-mail in error, please contact the sender and delete the e-mail and any attached material immediately. Thank you.
Think of how many people at Google probably read slashdot. To think that now that it's on slashdot everybody knows except Google is kind of silly. Also, at least one person on here reported that it seems they fixed the bug already, which doesn't surprise me.
GMail is a beta as some of the other people mentioned and beta product even though they are not supposed to be buggy are still in testing stages and are not ready for production release. So is it surprising that there was another bug found in the system? Not at all. After all that's how all software gets developed. You test it to exhaustion and if it passes all the tests it's good to go. If not you fix the problems. And if you are using GMail you should know that you have already agreed to the possiblitly of having an unreliable service. After all this is why Google is gradually expanding the number of users.
That aside. I use GMail and Spymac since they were the first 2 free services to offer 1GB storage and google whips Spymacs butt in every aspect. So does that bug bother me? Not really. I use pop3/smtp access all the time and plus this bug will be fixed very soon just like all the other problems found so far.
Or try this invite spooler here
When you use beta apps on your computer, do you expect them to be bug free? Why would an internet application differ from, say, a pre-release version of Longhorn?
If you are doing mission-critical email (as if email's even suitable for anything m-c) or are overly converned about privacy, here's an idea: try using established technology, and maybe even GPG. Don't use something that says "beta" for those sensitive transactions....
I'm glad this article was posted, I'm just confused by some of the reponses to it.
signed,
Captain Ob(li)vious
(%i1) factor(777353);
(%o1) 777353
Parent is not flamebait, it is a real insult.
It could be called informative, because I honestly believe the guy is a dumbass. At least, not flamebait.
Insulting the guy is just what I felt like doing, because I thought it was a stupid question to ask, not a call for flames.
In the FAQ it doesn't say that "profanity" or insults are discouraged.
My post was even on-topic because it answered a question regarding the way the site works (why no no-text messages)
just a thought
They may actually have tried to contact Google and failed.
Have you tried to send a GMail bug report to Google? It's really difficult! I tried it and whatever software they have to automatically scan bug reports kept misclassifying what I was saying. I gave up in the end; for a product in beta, they don't seem very keen to get feedback.
well after trying this out for myself, it appears google isn't delivering any mail (at least to my inbox) at the moment. after sending about 20 emails, half valid, half tesing the missing '>'. After 20 minutes, none of the 20 have reached my inbox.
lots of comments here are noting the hubris of these guys in asking for jobs.
I'd just like to add that not only are they criticizing the company's QA process and releasing the bug without having notified google first, as others pointed out...
They found the exploit by MISTAKE! It was a bug in their own code that caused the problem, something as stupid as a missing caret at the end of a line. So, in other words, they are looking for work looking for bugs in Google's software that they found solely because of a bug in the software they wrote.
On another note, bugs in software happen, no matter WHO you are, the trick is just to be able to fix them in a timely fashion and deal with the situation effectively. I believe that Google will do this, especially if the previous comment stating that it has been patched is true. Everyone is making too big a deal out of something that has happened to every developer on every software ever. The reason MS gets crap for it is simply because they continuously produce buggy code ridden with security issues, but deny this is the case, and often ignore security problems until they are found out by the general public.
-Jay
I haven't been able to receive any gmails for a half hour or so... maybe they've disabled incoming messages until they've sorted this all out?
The sense of security coming from using a non-publicly-available product that is still in beta? Where the banner "Gmail by Google - Beta" is displayed at the top left of every page loaded? Where the 'Security' section of the user agreement is:
Security
You must promptly notify Google of any breach of security related to the Services, including but not limited to unauthorized use of your password or account. To help ensure the security of your password or account, please sign out from your account at the end of each session.
Oh yes, Google is certainly lulling us into a false sense of security.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
I hope google fixes this poor buffer hygiene soon
But since we now have a published exploit, I will be damn careful what I send for a while except for the messages my script sends to me;-)
Since [as GBS pointed out] "GH" can be pronounced "F" and in "enough" I chriten this technique for dredging buffer junk for other people's goodies as
GHISHING
Which you would pronounce the same as PHISHING. And the GH might stand for Google Hack
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
No no, you don't get it! He's simply introducing himself to the community at large. It's a play on words, really. Because, you see, his name is actually "New Here," so when someone utters (types) the phrase "New Here" his attention is drawn. When someone mentions my name incorrectly, I like to correct them as well! Of course, if people kept telling other people that their name is in fact your name, wouldn't you want to correct them? Honestly...
John Doe (to UserX): You must be Bob Dole.
Bob Dole: No, I'm Bob Dole.
You: Fuck off.
See how your response is completely inappropriate? Granted, that wasn't the *exact* syntax for this exchange, but there's no need to nitpick.
BTW, New Here - you're my hero.
"The object of war is not to die for your country, but to make the other bastard die for his." - Patton
I've been bugging google about gpg support built into gmail. Never get any response though.
The road between democracy and tyranny is paved with secrecy in the name of security.
Rather then a post card, I would say it is more like sending a letter in an unsealed envelope.
You can see the content of a post card just at a glance. You can glance at things by accident. You can read an unsealed letter, but first you have to take it out of the envelope. You cannot do that by accident.
You cannot accidently catch a glimpse of an e-mail, you have to intentionally look at it.
END COMMUNICATION
Far more disconcerting is the label American online in the screencaps.
500GB of disk, 5TB of transfer, $5.95/mo
gmail invites - first come, first serve
get one for yourself @ http://fundisom.com/free-gmail.php...
and if you don't get one now - i'll add many more over time.
and if you manage to get one and feel like saying thanks - have a look at the ads on the page...
enjoy...
Burn the AC, he's using logic!
SMTP isn't secure anyway. SO what's the big risk that someone can get my message off of gmail from left over memory image. They could have just as easily sniffed the SMTP packets going from gmail to whatever server they're going to.
Bottom line don't use e-mail for sensitive information unless you use proper encryption before hand. -- fopd sodis risdick tra
I'm assuming this is until the problem is fixed:
"APPLICATION" 516 "2005-01-12 20:01:48" "SMTPDeliverer - Message 15213: Delivering message from xxxxxxxxx@xxxxx.com to xxxxx@gmail.com."
"TCPIP" 516 "2005-01-12 20:01:48" "DNSResolver - MX Lookup: gmail.com"
"TCPIP" 516 "2005-01-12 20:01:48" "DNSResolver - MX Lookup result for gmail.com: 3 servers"
"APPLICATION" 516 "2005-01-12 20:02:09" "SMTPDeliverer - Message 15213: Failed to connect to gsmtp185.google.com."
"APPLICATION" 516 "2005-01-12 20:02:30" "SMTPDeliverer - Message 15213: Failed to connect to gsmtp171.google.com."
"APPLICATION" 516 "2005-01-12 20:02:51" "SMTPDeliverer - Message 15213: Failed to connect to gsmtp57.google.com."
"APPLICATION" 516 "2005-01-12 20:03:13" "SMTPDeliverer - Message 15213: Failed to connect to gmail.com."
"APPLICATION" 516 "2005-01-12 20:03:13" "SMTPDeliverer - Message 15213: Failed to connect to all xxxxx@gmail.com's mail servers."
Find Nearby Indie Events
Why is google news still in beta?
You know you've been IMing too long when you almost say 'lol' out loud to a non-geeky friend...
Whoever modded parent as offtopic has no sense of humor.
Ever since I read this story on slashdot, I've not been able to recieve emails in my 3 gmail accounts (the emails are from two different mail providers). So, have they now started refusing incoming messages (until the bug is fixed) ?
XML never does this. XML parsers, upon finding a problem must stop parsing and throw a fatal error. It's in the specification.
Instead of mindlessly knee-jerking because you don't like XML, try reading the article. The greater-than symbol that causes problems is the delimiter for the email address - syntax that goes back to 1982's RFC 822 - long before XML's time.
Most Humorously Appropriate Usage of the Word "Festoon" In A Slashdot Post.
Potato chips are a by-yourself food.
For some reason, when you click on a link someone sends you in gmail, it opens in a new window, all well and good, but it rearranges IE's toolbars. I carefully put the standard set of buttons, the "File" menu, and the Address bar on one line (to minimize use of vertical real estate) and the new window has them all on seperate lines...which is irksome if that's the last window that gets closed in IE, because that means it sets the pattern for next time you start up IE.
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
I'm communications corporal, sir!
I wish he was... Check out the guy's previous comments, he introduced himself quite enough already. It's getting old. I agree the AC's reply is much more disturbing though.
I'm trying to improve my English. Please correct me on any spelling/grammar errors in this post.
I'm sorry - I forgot the sarcasm tags in that last post.
"The object of war is not to die for your country, but to make the other bastard die for his." - Patton
There was a web site called gmail-is-to-creepy.com that had alot of info about gmail ... I stoped using it a week after I saw that site
If an SMTP server is stopping you from READING email, than we have bigger problems. The SMTP only handles your outgoing, not your incoming... If the POP server was down, then you wouldn't be able to read your email. As it were, though, GMail in general was down for a while.
Yeah, I noticed that one too. You'd think that at Google, of all companies, they'd be looking for the stupid crap the end user might do with their product before even considering daily use, but that's just me. Regardless, the hole that was found, though having large implications, is minor at the worst.
Strong words for a man with four exlamation marks in a row, a three question marks.
Stupid like a fox!
Theoretically, yes, but at the same time, if the loss of a single '>' is the cause for this, then there is reason to believe that an additional '' could cause just as much of an issue, though not the exact problem for obvious reasons. Clearly, someone is not validating inputs on the SMTP side of things, as the original server was built with a web interface and thus there was no need for such a thing. Google tends to stay pretty well on the ball, so I'm sure this will be resolved soon enough, if not already. You know at least half their staff are avid /.ers.
Anyway, you're using a free mail server, so just encrypt everything and assume anyone can get a copy at will of anythingthing you send. Unless you somehow come to own the internet in it's entirety, that assumption is a lot closer to the truth than you think...
Haha, mod that up. Very nice puns.
Random is the New Order.
There is a major motion picture by that name, and the Earth is afraid of the lawsuit.
emt 377 emt 4
Throw it to bugtraq if you want exposure and to get it noticed. Not Slashdot.
It's a data parsing error (missing that closing < makes it read stuff from other mailboxes and print that back inappropriately)
Why it can even read past the end of your message is a mystery to me. They might be using very specialized memory managers in their codebase that use buffers in specific ways, however, which would make this possible.
I wouldn't call that a buffer overrun. It's a parsing error which exposes read access to some kind of application-managed memory in an unexpected way.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
In picture number 2, they didn't do a very good job hiding the info. If you do a google search for <inurl:akienm>, you get just a few results. Just by looking at the snippet from the first result (without actually traveling there), you can see his domain is weirdness.org. From this you look back at the message and deduce that the login URL is http://weirdness.org/akienm/checkpointjob. The username starts with ak, so it is probably akienm. The password starts with bi. This dramatically reduces the amount of work needed to brute force his password. Hopefully akienm will change his password soon.
Andrew
I'm very impressed that Google (or more to the point Chris Dibona) responded and the bug was fixed so quickly. Can we expect more of this from Google in the future? I sure do hope so.
"There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
That was my fault. As I have indicated in several other replies, I was the 'editor' in our little research team (I used to teach English to ESL students, some 20 years ago), but I honestly did not think that this would ever see a reader.
Sorry for the minor boo-boo. I'll try to be more grammatically correct, in the future... ;-P
Yep. We did.
In fact, the 'report a bug' link did not appear, in my GMail account. I had to use one of NSA Wally's other accounts, just to find out what the link was.
CyberArmy? Who said that?!
Yes, I'm that same MrYowler... :) Of course, that says nothing about my many professional information technology and information security credentials, but if you've already made up your mind that I'm an idiot, then there isn't much point in me trying to change your opinion. Remember, though, that your opinion says a great deal more about you than it does about me... ;-)
Oh yes. Sue.
NSA Wally makes slightly more than $300 per month working for his uncle, and I make about $450 per month putting cans of beets on grocery store shelves.
Take it all! Start with our crushing personal debts, and then you can have this flu that I have neither been able to shake, nor do I have medical coverage to get help with.
Yes, sue. Take us for all we're worth. That should amount to slightly less than nothing... ;-P
Hello, Thank you for your message. Today, Google was alerted to a security vulnerability affecting Gmail, and our engineers quickly resolved the issue. A very small number of Gmail users were affected, and all Gmail accounts are now protected from this vulnerability. Google has the highest regard for the security of our users' information and we apologize for any concern this issue may have caused. Thank you for taking the time to contact us. Sincerely, The Gmail Team
Yes, sue. Take us for all we're worth. That should amount to slightly less than nothing... ;-P
A word of caution:
Don't taunt the animals. If you have ever been involved in or observed divorce proceedings, you should already be aware that the legal process is frequently used by its participants as a means of punishment, rather than a source of revenue. The fact that you don't currently have money doesn't protect you from being the victim of some well-funded person or lawyer with a desire for retribution.
I submitted this bug (as thousands of slashdot users probably did) and here is the response I got from Google.
Hello,
Thank you for your message. Today, Google was alerted to a security
vulnerability affecting Gmail, and our engineers quickly resolved the
issue. A very small number of Gmail users were affected, and all Gmail
accounts are now protected from this vulnerability.
Google has the highest regard for the security of our users' information
and we apologize for any concern this issue may have caused. Thank you for
taking the time to contact us.
Sincerely,
The Gmail Team
:) Eh. I know how to file bankruptcy. Frankly, at this stage of the game, the only thing keeping me from doing so, is that I have no assets to protect.
The point is well-made, however, and I'd be likely to take it more seriously if I were not already an excellent candidate to go insane with a high-powered rifle in a bell tower, somewhere... ;-P
That, however, is part of the point of psuedonymity - it makes the rich fellow's job at least slightly more difficult, and the lack of reward, at the end, makes the effort essentially pointless. Better to pursue me for criminal action, as so frequently is the case when a vulnerability is publicly reported. Even that, though, just gets me three hots and a cot, and all the luvin' I can't handle... :-P
Never forget; death ends the pain. And the man who believes that he has nothing left to lose, is the most dangerous of all.
Hopefully, it doesn't come to that, and the tiny bit of rope that still has me connected to my sanity, will hold.
Google is going down the wrong route. This is like fixing a remote exploit by filtering traffic for the IP of the guy that rooted you. If your program is insecure, fix it, don't firewall suspicious messages. It's only a matter of time before a similar exploit is written unless gmail is engineered so that malformed messages don't get cached data.
That they fix those awfull new groups...
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating