Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Corrects Gmail Security Flaw

Posted by Zonk on from the seekrit-communications dept.

0110011001110101 writes "Google said Wednesday it has fixed a problem in its widely used email program that allowed hackers to break into peoples Gmail accounts to read messages and pose as legitimate email users. Security researchers in Spain exposed a flaw in the way Google authenticates its users, allowing the breach in the system that counts more than 5 million users. The process for exploiting Gmail was posted to a hacker web site." From the article: "Google spokesperson Sonya Boralv said only users who supplied information to the hackers were potentially vulnerable. 'We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials,' Ms. Boralv said. 'Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues.'"

5 of 209 comments (clear)

  1. Re:While they're there... by timster · · Score: 5, Informative

    If you make your bookmark https://mail.google.com/ it will present both the login and the rest of the site via HTTPS.

    --
    I have seen the future, and it is inconvenient.
  2. Re:A very timely fix unlike M$ by generic-man · · Score: 4, Informative

    When Hotmail was hacked 6 years ago, Microsoft sealed off the problem within a day. Google is incredibly slow.

    --
    For more information, click here.
  3. Re:A very timely fix unlike M$ by bannerman · · Score: 3, Informative

    This is completely different. The Hotmail hack allowed anyone to view anyone else's Hotmail account, with nothing more than a username. The Gmail hack allowed someone with access to another person's web traffic or hard drive to get access to their Gmail account. If you give them that much, you might as well give them your password as well, just for convenience' sake.

    --
    I keep forgetting my place. Jesus is for losers. Why do I still play to the crowd?
  4. Re:Why doesn't this news make me feel any safer? by ClearlyPennsylvania · · Score: 3, Informative

    For what, exactly? Gmail doesn't provide your mail to any third parties - no, not even the context-dependent ad do that. Sure, there's a database of your emails somewhere... but every single email service has a database of your email. How is gmail a threat to your privacy?

  5. What exactly is/was the exploit? by frankie · · Score: 3, Informative

    I don't read either Spanish or Hackerspeak very well, so I may have misunderstood their explanation, but it sounded like the exploit requires the attacker to gain access to the source code of the login screen for a user who already has a valid Gmail cookie. In other words, Gmail sends (or used to send?) stealable authentication info in the html. Is that accurate? If so, I'd have to agree that's not Best Practices for web security.

    Their screenshot walkthrough seemed like a mess. Which browser (and which URL) was associated with each of those source views?