Slashdot Mirror
Google Corrects Gmail Security Flaw
0110011001110101 writes "Google said Wednesday it has fixed a problem in its widely used email program that allowed hackers to break into peoples Gmail accounts to read messages and pose as legitimate email users. Security researchers in Spain exposed a flaw in the way Google authenticates its users, allowing the breach in the system that counts more than 5 million users. The process for exploiting Gmail was posted to a hacker web site." From the article: "Google spokesperson Sonya Boralv said only users who supplied information to the hackers were potentially vulnerable. 'We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials,' Ms. Boralv said. 'Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues.'"
But at least they're not evil about it.
I wonder how long people are going to keep buying that line?
Further, I wonder how long it will be before Google finds itself under some form of regulatory scrutiny surrounding privacy concerns?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Google does NOT read every email. It goes through a computerised filter to supply ads. No different than a spam filter. How come no one complains about Yahoo, MSN, and 99% of other email providers, free or not?
Just like hotmail, You get what you pay for....
...they could alter the URLS they serve up such that httpS is used instead of crappy old http. The former works if you remember to edit it manually every time you log in, but that's tedious.
Then again, its a spanish language site, so I give them kudos for finding someone whose English isn't terrible to write it up for them.
[Fuck Beta]
o0t!
I really like using Gmail, and the 'conversation' system really suits me well. Glad that they fixed the flaw before anything 'bad' happened.
/. community use instead?
But, is there an alternative to Gmail? What does the
Say what you will about Google, but 4 days is fast. I think Microsoft takes weeks, if not months to fix problems. As a matter of fact, I bet there are vulnerabilities that are years old. Not to mention that M$ gets angry whenever a security group points out a bug.
gasmonso http://religiousfreaks.com/only users who supplied information to the hackers were potentially vulnerable
Right...you were only vunerable if you gave hackers your login and password. Um, duh.
So hackers can't get in now if I give them my credentials?
For more information on web application attacks sign up to the web security mailing list.
http://www.webappsec.org/lists/websecurity/
Google won't do eeeeevil... then again, the hackers might.
Gee, I hope that no one was able to see that I store my SS#, CC#, and username/passwords for every site that I use. This could really be bad! The last time I checked, this was Beta software anyway, and if it was a concern, realize that most people weren't concerned when they got google eyed for a 2GB account. Get serious, who in the their right mind would send sensitive information over e-mail anyway???
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
Right.
The site says Google fixed the problem on October 18, four days after a security researcher called ANELKAOS alerted the company to the problem. Google didn't make a public announcement about the problem. Companies such as Microsoft typically alert their users to security flaws in their software.
So I am to believe that when someone makes a security flaw known to Microsoft they immediately make it public? They don't try to fix it or even shush the person who lets them know? The news is full of stories about security researchers who try to let Microsoft know about a problem only to see it not fixed for a long time. Then if the researcher lets the public know Microsoft goes berserk.
4 days seems like a pretty good time to patch a flaw that sounds as low risk as this one did.
Nobody writes perfect software
from TFA:
"OK, it's a Beta version, and they don't have to report anything. But if they would have recognized it and published a thank you note, this information wouldn't had been published. We have 3 ways to get to the same result, the others 2 are quite easier, and because of that easily we can deduce that it's a multibug, and a design error. With all these clues, they will not take too much to discover new methods."
The only reason we're seeing this is because Google didn't give 'em credit for finding the bug. Shame on Google, because apparently this problem might get worse before it gets better.
[Fuck Beta]
o0t!
There are no saints... even ghandi had masturbated sometime, ....right?
DON'T STEAL MUSIC!
The good thing about this is that now, everyone benefits from the fixes. Instantly.
No more issuing patches, fixes, service packs, or whatever, like there is with distributed packages.
That's amazing. I got the same combination on my luggage.
See, up until now, if you knowingly gave hackers your credentials, they'd be able to log on to your account with them. But now Google's refined their system to the point that even if you give out your personal information, hackers can't get in!
It's really very simple. They simply cycle through every Google ad you've ever clicked on (to find potential phishers), geo-locate the IP trying to log on and cross-reference it to the "From" location in most of your Google Maps directions searches, attempt to visually identify you from any webcam pictures they may have cached, calculate the speed in which the username/password was typed in compared to the "keyboard profile" they have on file from all your searches, and compare the logon time to your typical usage times for GMail and Google Talk.
Perfect security. At least, from everybody but Google.
I support the separation of oil and state.
I was wondering - is it possible to wash your clothes in a dishwasher ? I don't have a washing machine and this would make my life a lot easier.
FTFA
"We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials," Ms. Boralv said. "Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues."
Fix:
From: Google
To: Gmail users
Subject: Security Bug
To all Gmail users:
Please do not give out your user name and password.
Thank you. That is all.
If I'm reading this correctly, the security researcher thinks that Google has fixed only one of the three bugs that open up this door...thus the public pronouncement.
"But if they would have recognized it and published a thank you note, this information wouldn't had been published. We have 3 ways to get to the same result, the others 2 are quite easier, and because of that easily we can deduce that it's a multibug, and a design error. With all these clues, they will not take too much to discover new methods."
is pretty darn quick. Disclosure guidelines generally give 5 days to a week just to RESPOND to the issue, let alone fix it. Thumbs up to Google for their prompt fix.
SecureThe.Net - Practical Resources for Securing Systems
because THAT sounds like the ROOT cause here.
One little bug that's been griping me about gmail is that sometimes I go to gmail.com on my girlfriend's computer and find myself accessing her account because she forgot to click "log out" last time she was in there.
Now, I understand that while the web page is open, it makes sense to keep the user logged in using background XML requests, but once the browser has been closed, can't they implement a time-out?
I swear this has happened to me even when she logged in the night before, so I can't figure out why they would overlook this obvious flaw.
Otherwise I absolutely love the gmail interface, for the record... searching your old mail is incredibly easy and useful. But I just can't believe that I can simply browse to gmail.com and find myself in someone else's account without even clicking anything.
Of course, I always make sure to log out properly, but some people just never learn.
Ummmm... no. My bookmark for https://gmail.google.com/ takes me to https://mail.google.com/mail/ every time.
It seems to me that if you're able to get information to actually "hack" an account, you're either:
a) able to sniff all their network traffic, which means eventually, you'd probably get enough info to socially engineer their password
b) have access to their system somehow, so you could probably employ a keystroke logger of some sort and just get userid/password that way rather than sift through web browser cache's to guess cookie and session id information.
if they were the article would be like this:
...
1N7R0DUC710N
7h15 bu6 h45 4|r34dy b33n c0rr3c73d, 7h47'5 why 17'5 b33n pub|15h3d.
1n 7h15 m4nu4| y0u w1|| 533 573p by 573p h0w 70 3xp|017 6m41|'5 vu|n3r4b1|17y, 7h47 64v3 y0u 4cc355 70 4ny 4cc0un7, r3p0r73d by 4n3|k405,
ds
I completely disagree with EPIC's privacy analysis of Gmail's "content extraction" techniques.
First off, whether the ECPA extends to Internet e-mail has NOT been established. The ECPA was written in 1986 and at that time, most people's idea of an 'e-mail' service involved CompuServe or other proprietary mail services.
I doubt that anyone could have a reasonable expectation of privacy in regards to Internet e-mail. Mail can pass through so many servers and routers and such and ANY of those hosts along the way could grab your mail, which is, unless YOU encrypt it, pretty much transmitted in clear text, with very rare exceptions. Any of those hosts could store and analyze your mail, too. There's nothing stopping them. It's a direct result of the Internet's decentralized nature.
Anyone who expects that unencrypted Internet e-mail is private is very sadly mistaken.
My blog
Maybe some folks use Gmail for critical communications, unencrypted, but to me, the worst that could happen would be: Dear Mom, Life is bad. Thrown in jail. Broke. Girl left me. Lost my job. I'm gay (not that there's anything wrong with that.) Hate, j0n Please.
Does this mean that they read all my 180 spam e-mail for me? I should thank them.
Trust me, I do it every day at home.
How come we don't get a front page story everytime Microsoft fixes a bug? Ok, you can mod me flamebait now.
Is it just me, or does google's translation make just as much sense as the "English" version of the hacker's article.
I read
Actually I find parent post rather funny
The one thing that bugs me is that the mail service cannot differentiate between john.smith, johnsmit, joh.nsmith...... when it delivers the messages. Sure, at login, they ARE different accounts, but then, why do I keep getting messages for johnsmith? Mine has a separator dot, damn. Fix that already!
Don't we live in scary times when security professionals give themselves names like "Anal Chaos?"
Up until today, I was including that info in my sig!!
For what, exactly? Gmail doesn't provide your mail to any third parties - no, not even the context-dependent ad do that. Sure, there's a database of your emails somewhere... but every single email service has a database of your email. How is gmail a threat to your privacy?
Watch Pen & Tellers episode about Ghandi & Mother Theresa and you'll learn a few things.
I don't read either Spanish or Hackerspeak very well, so I may have misunderstood their explanation, but it sounded like the exploit requires the attacker to gain access to the source code of the login screen for a user who already has a valid Gmail cookie. In other words, Gmail sends (or used to send?) stealable authentication info in the html. Is that accurate? If so, I'd have to agree that's not Best Practices for web security.
Their screenshot walkthrough seemed like a mess. Which browser (and which URL) was associated with each of those source views?
1. I called the Grammar Police on the author
2. I used poor grammar and capitalization
3. You did not call the Grammar Police on me
4. Your grammar, spelling and capitalization were just fine.
The only conclusion that can be reached from these facts is that any post invoking the Grammar Police results in grammar, spelling and capitalization errors in said post.
[Fuck Beta]
o0t!
It always stays https for me. I never have to manually do this.
'We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials,' Ms. Boralv said.
So what exactly is the flaw here? Giving your credentials to anyone for any system is a security flaw.
"Hey Bob, I just 'hacked' your e-mail with the user id and password you gave me."
"Guess it's time to call Google and let them know they have a security flaw"
Cheesy Movie Night
It's true, my wife's paypal account was hijacked last week by someone looking her her gmail account, probably by this very exploit. Luckily, the kid was a moron who immediately started forwarding all her mail to his own yahoo.it box. A sojourn through the gmail trashcan turned up a paypal receipt for an IRC hosting package. Needless to say panicked overreaction ensued, passwords were changed, credit cards cancelled, another windows install was replaced with Ubuntu. It's nice to know now, maybe/probably, what the problem was and the limits of our exposure. I also did, during this period, suddenly realize that keeping everything on gmail means keeping EVERYTHING on gmail. We've not used paypal in at least a year, but still, there it was in the archive.
i stand corrected, i always goto https://google.com/mail which automagically redirects to http://mail.google.com/mail. should have previewed my post first!
May I paraphrase this? "The general public is very sadly mistaken."
You are completely correct (and I have read RFCs 821, 822, 2821, 2822, 2015, and parts of the MIME RFCs). The sad part is that most users are clueless to the fact that their email is not private. Even sadder are the technical people who just plain don't care and state that the "inconvenience" of using SSL is too much. (and SSL is only a partial solution, but does protect credentials used with IMAP or POP)
Does every single email service say that they may keep copies of any/all message(s) ever sent or received for an indefinite period of time and for vaguely defined purposes?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
They're calling it a security flaw when the victim has to knowingly supply personal information for their account to be comprimised?
"Google's move towards a single Google Account for multiple services exacerbates the problem, as the same account used by the Google Base site can also be used to access financially sensitive services such as AdWords and AdSense, and Google's GMail webmail service."
RichM
Data Center Knowledge
AFAIK, none even mention keeping or deleting emails in any time period. I'd rather at least know that they're keeping them, then be in the dark about their possibly sinister plans.
Yeah, because my EMAIL account is really useful when I don't give my username to anyone...
Gmail hacks you!
Isn't this called "logging in"?
Karem
When all is said and done, nothing changes...
Okay, everyone be sure to install the latest security updates to your Google software, to protect yourself from this exploit!
Oh, wait...
Cut that out, or I will ship you to Norilsk in a box.
What kind of security flaw is this? Wait- someone can read my e-mail if I give them my password? Wow! Wait- someone can read my files if I give them my root password? You're kidding?! Someone can read my paper documents if I give them the alarm code to my house and key to my filing cabinet? No s**t.
Jeeze.
-M
when you see the word 'Linux', drink!
The solution is obvious. Get rid of the power. Find an alternative solution. And I happen to have one right here in my pocket:
Your email should live on *YOUR* hard drive. Google's software can do all the indexing and searching of your email right on your machine. It might well be within the current capabilities of the Google Desktop, but if not, only trivial changes required there.
But what about the children? Advertisers' children in this case. How will Google make money? Simple. Send the advertising keywords to YOUR machine, and then your computer will request the appropriate ads from the list. (Actually, not quite so simple because there are lots of ads, but think of it as though your computer is doing a background search against their database of current ads to find the most relevant ones.)
They can still offer the Web-based interface as an option, but it should not be the default because it creates an unneeded power that will (sooner or later (or already)) be abused--and even then it isn't needed. Google could hold the last few weeks' email on line, but then store it only on your machine.
Next wrinkle? Backup services where (for a small fee?) Google encrypts your email (on your machine) and stores the encrypted data for you on a Google server in case your machine croaks. Next? Migration services. Google will (for another small fee?) let you restore your backup files to a new machine and combine and reconcile all of your personal data. Etc.
I should send a copy to Google, eh?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
1. No matter how many problems you point out that exist in Google's services, they are still far less than the flaws that have existed in systems like Yahoo and Hotmail for far longer /. who complain about Google are just Yahoo, MSN and Microsoft twits. If you are a Microsoft employee, I shake my fist at thee... ;P
2. Whether you believe it or not, there is NO such thing as a "perfect" e-mail system. Google never made that claim and it's supporters certainly don't make that claim. What they do claim is that Google has the more innovative interface. And after using the lackluster offerings of both Yahoo and Hotmail, I have say I agree with them.
3. Although you might think it's "hip and cool" to be anti-Google just because Wired magazine told you to do so. It's not. It's lame. It's like someone trying to make it hip and cool to listen to Johnny Mathis tunes at a rave. Lame.
4. Yahoo offers nothing like Google. Yahoo started off as a so-so search engine and evolved into a so-so portal with e-mail and then threw in maps and other useless crap. Google started off as a damn precise search engine that actually caters to people with a brain (ie. those of us who use the proper search syntax) as opposed to the numb nuts who just type a phrase in and expect to get an exact response. They then exapnded their offerings as experiments and are still in the experimental phase. It's just that their betas outshine the "production" services of their competitors.
5. Google does more with less better than MS could ever dream of. They have a smaller staff and a much smaller financial value (not that it matters) but they produce products that, while not "perfect", are at least ten times better than what any of their competitors offer.
6. Finally. Fuck you. I'm sick of all the Google bashing. It's lame and so are you. The way you screwjobs act, you'd think there are people opening up churches to worship Google like people are doing with Microsoft. I have to wonder if all of the people on
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
How is this an exploit if it requires the user's credentials? If you have their credentials then you can just login normally....
netkev.com
I had to point out that the policy basically means that it doesn't go outside our company, our network, anywhere in control of someone other than ourfirm.com. Seems obvious, really.
Of course, if I send it to john.doe@ourfirm.com and he forwards it to his john.doe@theirfirm.com address, that's beyond my control, but still (since I know that he has accounts on both networks) to a certain extent, my responsibility.
Author, Shell Scripting : Expert Re