Slashdot Mirror
Gmail Messages Are Vulnerable To Interception
Michael Wally writes "GMail messages are vulnerable to interception. An attacker has only to transmit malformed test messages to himself, and information left over in memory, from previous messages destined for other people, will appear with the test messages, in the attacker's inbox. Sometimes, this information may include usernames and passwords... Do you use GMail? Are your communications private? Should they be? Well, here's what we figured out about the issue, that may or may not help you - or perhaps GMail, if anyone can get ahold of their developers, to tell them about it." Update: 01/12 22:21 GMT by T : Good news for Gmail users; those malformed messages are no longer being accepted; read below for a message from Chris DiBona.
chrisd writes "Just so you know, at 10:15am PST mails with the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous emails that had this problem will also no longer will be accessible. If you don't mind, I'd like to take the time to remind Slashdot readers that they can send bugs that may have a security aspect into security@google.com. If they like, they should feel free to cc me at cdibona@google.com. We appreciate your patience and we're sorry about the bug."
Is it just me or do you find it strange that in the list of known Gmail bugs, there is no catagory for Security? I'm trying to find out if this bug is one of the known bugs, but I'm guessing it's not? And I'm also guessing that Security is not a concern for Google at this point, which is a very bad thing, IMHO. People are relying on Gmail because of its awesome features, but if someone can read insecured data directly from memory, it's a really big problem -- perhaps even a global design flaw of the system. No wonder Google plays their cards so close to their chest... I just hope they take some amazing measures to prevent these types of bugs in the future... like when somone does >>> or >>>> etc...
I use Gmail and this bug sort of disturbs me. Aren't they using a proper preg check to see if the fields are enclosed with < > ? I'm not even sure how this bug could exist in any normal computing system. I guess the gmail system is a hybrid of some kind? This is indeed very telling...
But it doesn't make me want to stop using Gmail. It's a random security breech that looks like they could fix it in an hour if they wanted to. Time to stop checking my email for a while until this is fixed...
Google will work out the kinks, they always do.
Electrons are free; it is moving them that becomes expensive.
Oh, sure, it means ready to be shipped/used in production by some companies, but has that line gotten to fuzzy for some people?
"that's not a feature, that's a bug"
A feeling of having made the same mistake before: Deja Foobar
and should never be treated as such. If you want security, use strong encryption.
This is as it was 10 years ago, 5 years ago, now, and in the future. Plaintext should be treated as though you were sending a postcard in the mail.
Cretin - a powerful and flexible CD reencoder
Security exploits are a serious matter, and they need to be handled properly. Throwing this kind of thing out in the open willy-nilly is, at best, irresponsible. For one, it means that Google must now rush a fix for something which may have already been in the bugfix queue; rush jobs can disrupt the entire project and increases the odds of human error--which can lead to unnecessary security vulnerabilities.
As for these guys getting hired by Google--being smarmy twits about Google's code review practices probably isn't gonna help their case any. Shame, because a little tact and professional courtesy would have given them a damn good running start at it...
Obliteracy: Words with explosions
Google = best & brightest, right?
I mean, their aptitude tests & hiring policies makes me believe they've got a few nobel prize winners working there..
Shouldn't they be able to fix this during lunch break?
Looks to me like they already fixed it, I tried sending an email without putting the end bracket on the address (Just like the guys in TFA) and it popped an error message. Those guys at Google are on the ball today. :-)
Never give any object more potential energy than you want it to have.
Many other people have pointed out that GMail is still in beta, and that if they would have told Google first it probably would have gotten quietly fixed without any damage being done.
Of course, they acknowledge that, but they're arguing that they're helping protect people by making them aware of the problem.
I call bullshit. This is about them wanting recognition for finding the bug. If they would have sent it to Google, it would have been fixed and no one would care who discovered it. Because they went public with it they can boast that they were the ones who found the bug.
Of course, it swings both ways. Now if someone uses this exploit and steals your password (which is honestly rather unlikely), you know who to blame for making it public knowledge before Google had the chance to fix it.
lots of comments here are noting the hubris of these guys in asking for jobs.
I'd just like to add that not only are they criticizing the company's QA process and releasing the bug without having notified google first, as others pointed out...
They found the exploit by MISTAKE! It was a bug in their own code that caused the problem, something as stupid as a missing caret at the end of a line. So, in other words, they are looking for work looking for bugs in Google's software that they found solely because of a bug in the software they wrote.
On another note, bugs in software happen, no matter WHO you are, the trick is just to be able to fix them in a timely fashion and deal with the situation effectively. I believe that Google will do this, especially if the previous comment stating that it has been patched is true. Everyone is making too big a deal out of something that has happened to every developer on every software ever. The reason MS gets crap for it is simply because they continuously produce buggy code ridden with security issues, but deny this is the case, and often ignore security problems until they are found out by the general public.
-Jay