Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Corrects Gmail Security Flaw

Posted by Zonk on from the seekrit-communications dept.

0110011001110101 writes "Google said Wednesday it has fixed a problem in its widely used email program that allowed hackers to break into peoples Gmail accounts to read messages and pose as legitimate email users. Security researchers in Spain exposed a flaw in the way Google authenticates its users, allowing the breach in the system that counts more than 5 million users. The process for exploiting Gmail was posted to a hacker web site." From the article: "Google spokesperson Sonya Boralv said only users who supplied information to the hackers were potentially vulnerable. 'We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials,' Ms. Boralv said. 'Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues.'"

18 of 209 comments (clear)

  1. Uh-oh.. by Chabil+Ha' · · Score: 2, Informative

    Gee, I hope that no one was able to see that I store my SS#, CC#, and username/passwords for every site that I use. This could really be bad! The last time I checked, this was Beta software anyway, and if it was a concern, realize that most people weren't concerned when they got google eyed for a 2GB account. Get serious, who in the their right mind would send sensitive information over e-mail anyway???

    --
    We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
  2. Re:While they're there... by timster · · Score: 5, Informative

    If you make your bookmark https://mail.google.com/ it will present both the login and the rest of the site via HTTPS.

    --
    I have seen the future, and it is inconvenient.
  3. Re:While they're there... by blcknight · · Score: 2, Informative

    There is a User Script for Greasemonkey that will automatically make gmail use SSL:

    http://userscripts.org/scripts/show/1404

    There's also a host of other user scripts for gmail:
    http://userscripts.org/tag/gmail

  4. Re:Better than POP? by generic-man · · Score: 2, Informative

    AIM mail gives you 2 GB of free space and IMAP access so you can use it from a real mail client. All you need is an AIM screen name.

    For my personal mail I use Fastmail, IMAP mail with excellent server-side filtering. They had a brief outage last weekend, but aside from that they've been rock-solid for the last 2 years. They don't offer you enough storage space to make a warez repository out of your inbox, but it would take me a decade to fill up my 600 MB account.

    --
    For more information, click here.
  5. Re:A very timely fix unlike M$ by generic-man · · Score: 4, Informative

    When Hotmail was hacked 6 years ago, Microsoft sealed off the problem within a day. Google is incredibly slow.

    --
    For more information, click here.
  6. hope they implement a timeout too by radarsat1 · · Score: 1, Informative

    One little bug that's been griping me about gmail is that sometimes I go to gmail.com on my girlfriend's computer and find myself accessing her account because she forgot to click "log out" last time she was in there.

    Now, I understand that while the web page is open, it makes sense to keep the user logged in using background XML requests, but once the browser has been closed, can't they implement a time-out?

    I swear this has happened to me even when she logged in the night before, so I can't figure out why they would overlook this obvious flaw.

    Otherwise I absolutely love the gmail interface, for the record... searching your old mail is incredibly easy and useful. But I just can't believe that I can simply browse to gmail.com and find myself in someone else's account without even clicking anything.

    Of course, I always make sure to log out properly, but some people just never learn.

    1. Re:hope they implement a timeout too by (startx) · · Score: 2, Informative

      The default behavior IS to log a user out when the browser is closed. The only way your girlfriend's account would stay logged in after closing the window is if she checked "Remember me on this computer" when logging in.

  7. Re:A very timely fix unlike M$ by darkmeridian · · Score: 2, Informative

    Hold up a second. The MS Hotmail flaw allowed anyone's Hotmail account to be compromised by going to a MS website and typing in the e-mail account they wanted to hack. The GMail flaw requires an user to send their certificate information to the hacker. The Hotmail flaw was much more significant and easier to fix: disable the second website (or at least ask for a secret question).

    --
    A NYC lawyer blogs. http://www.chuangblog.com/
  8. Re:A very timely fix unlike M$ by bannerman · · Score: 3, Informative

    This is completely different. The Hotmail hack allowed anyone to view anyone else's Hotmail account, with nothing more than a username. The Gmail hack allowed someone with access to another person's web traffic or hard drive to get access to their Gmail account. If you give them that much, you might as well give them your password as well, just for convenience' sake.

    --
    I keep forgetting my place. Jesus is for losers. Why do I still play to the crowd?
  9. Re:In preply to the torrent of dumbness.... by Momoru · · Score: 2, Informative

    Because those filters are passive, as Googles are active...they send the content of your email to a server to determine which ads to send you, and then send the results of clicking any ads back to their server and log everything in between. So in theory someone just looking at the google logs could tell that your email contained words like "cheating" "wife" "cocaine" etc, because you were served ads for those. I doubt google has the time to do such things, but in theory the data is there.

  10. Re:A very timely fix unlike M$ by Bogtha · · Score: 2, Informative

    Google is incredibly slow.

    Definitely. Google ignored a security hole for two years and don't understand Javascript well enough to fix it properly.

    --
    Bogtha Bogtha Bogtha
  11. Re:Grammar Police by kelnos · · Score: 2, Informative
    Hate to do this to you, but you don't need to put a comma between the word 'spelling' and the word 'and,' it is not necessary.
    True, but that's not a grammar issue; it's a style issue. The "extra" comma is perfectly valid.

    And to continue the trend... I hate to do this to you, but the last comma in your sentence should be a semicolon (and moved outside the single quotes).
    --
    Xfce: Lighter than some, heavier than others. Just right.
  12. Re:While they're there... by skiman1979 · · Score: 2, Informative

    I've always just typed 'gmail.google.com' (without the quotes) to check my gmail account. That always redirects me to https://mail.google.com/mail/... I noticed though when I enter my user/pass and click 'login' the URL quickly jumps to http:// and then immediately back to https:// and stays there for the rest of the session.

    --
    Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
  13. Re:A very timely fix unlike M$ by karmatic · · Score: 2, Informative

    Actually, if you read the exploit, cookie stealing was not necessary. Just a little cookie manipulation, and looking at some JavaScript.

  14. Re:Why doesn't this news make me feel any safer? by ClearlyPennsylvania · · Score: 3, Informative

    For what, exactly? Gmail doesn't provide your mail to any third parties - no, not even the context-dependent ad do that. Sure, there's a database of your emails somewhere... but every single email service has a database of your email. How is gmail a threat to your privacy?

  15. Re:While they're there... by wx327 · · Score: 2, Informative

    For those complaining about the switch to http, just bookmark https://mail.google.com/mail/

  16. What exactly is/was the exploit? by frankie · · Score: 3, Informative

    I don't read either Spanish or Hackerspeak very well, so I may have misunderstood their explanation, but it sounded like the exploit requires the attacker to gain access to the source code of the login screen for a user who already has a valid Gmail cookie. In other words, Gmail sends (or used to send?) stealable authentication info in the html. Is that accurate? If so, I'd have to agree that's not Best Practices for web security.

    Their screenshot walkthrough seemed like a mess. Which browser (and which URL) was associated with each of those source views?

  17. Also A Security Hole in Google Base by miller60 · · Score: 2, Informative
    Google also has fixed a security hole in Google Base, which could have exposed sensitive information stored by users of Google's services. From the article:

    "Google's move towards a single Google Account for multiple services exacerbates the problem, as the same account used by the Google Base site can also be used to access financially sensitive services such as AdWords and AdSense, and Google's GMail webmail service."

    --
    RichM
    Data Center Knowledge