Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Corrects Gmail Security Flaw

Posted by Zonk on from the seekrit-communications dept.

0110011001110101 writes "Google said Wednesday it has fixed a problem in its widely used email program that allowed hackers to break into peoples Gmail accounts to read messages and pose as legitimate email users. Security researchers in Spain exposed a flaw in the way Google authenticates its users, allowing the breach in the system that counts more than 5 million users. The process for exploiting Gmail was posted to a hacker web site." From the article: "Google spokesperson Sonya Boralv said only users who supplied information to the hackers were potentially vulnerable. 'We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials,' Ms. Boralv said. 'Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues.'"

11 of 209 comments (clear)

  1. In preply to the torrent of dumbness.... by KinkoBlast · · Score: 3, Insightful

    Google does NOT read every email. It goes through a computerised filter to supply ads. No different than a spam filter. How come no one complains about Yahoo, MSN, and 99% of other email providers, free or not?

    1. Re:In preply to the torrent of dumbness.... by sp5 · · Score: 2, Insightful
      Google does NOT read every email. It goes through a computerised filter to supply ads.

      Does anyone really think their personal email is so damn interesting that someone else would actually want to read it??

      If you think that, get over yourself!

    2. Re:In preply to the torrent of dumbness.... by bhtooefr · · Score: 2, Insightful

      Well, technically, it could be viewed as a spamfilter with x number of buckets, x being the number of keywords available in adsense.

      A message would be scored on each keyword, and get sorted into one or more buckets based on how it scored on each keyword.

      There are spam filters that work exactly like that. POPfile comes to mind.

  2. A very timely fix unlike M$ by gasmonso · · Score: 3, Insightful
    "The site says Google fixed the problem on October 18, four days after a security researcher called ANELKAOS alerted the company to the problem."

    Say what you will about Google, but 4 days is fast. I think Microsoft takes weeks, if not months to fix problems. As a matter of fact, I bet there are vulnerabilities that are years old. Not to mention that M$ gets angry whenever a security group points out a bug.

    gasmonso http://religiousfreaks.com/
    1. Re:A very timely fix unlike M$ by Anonymous Coward · · Score: 1, Insightful
      Say what you will about Google, but 4 days is fast. I think Microsoft takes weeks, if not months to fix problems.

      To be fair to Microsoft (and I can't believe I'm saying this), Google needs to make and deploy a fix on their own servers. One of the advantages of being deployed via the web.

      Microsoft has to make a fix that can be deployed to countless machines and won't screw up anything else.
    2. Re:A very timely fix unlike M$ by slashkitty · · Score: 2, Insightful

      uhm, yeah, but that was a MUCH bigger hole. All you need for the hotmail bug was the victim's email address. (for a bug like that, they should have shut down the whole system until it was fixed) For google, you need their authentication token... which, is probably a problem for a lot of sites... not a super duper high priority bug if you ask me.

      --
      -- these are only opinions and they might not be mine.
  3. not perfect by TubeSteak · · Score: 2, Insightful

    Nobody writes perfect software
    from TFA:
    "OK, it's a Beta version, and they don't have to report anything. But if they would have recognized it and published a thank you note, this information wouldn't had been published. We have 3 ways to get to the same result, the others 2 are quite easier, and because of that easily we can deduce that it's a multibug, and a design error. With all these clues, they will not take too much to discover new methods."

    The only reason we're seeing this is because Google didn't give 'em credit for finding the bug. Shame on Google, because apparently this problem might get worse before it gets better.

    --
    [Fuck Beta]
    o0t!
  4. And No Rollout Necessary by Anonymous Coward · · Score: 3, Insightful

    The good thing about this is that now, everyone benefits from the fixes. Instantly.

    No more issuing patches, fixes, service packs, or whatever, like there is with distributed packages.

  5. Re:Why doesn't this news make me feel any safer? by morgan_greywolf · · Score: 3, Insightful

    I completely disagree with EPIC's privacy analysis of Gmail's "content extraction" techniques.

    First off, whether the ECPA extends to Internet e-mail has NOT been established. The ECPA was written in 1986 and at that time, most people's idea of an 'e-mail' service involved CompuServe or other proprietary mail services.

    I doubt that anyone could have a reasonable expectation of privacy in regards to Internet e-mail. Mail can pass through so many servers and routers and such and ANY of those hosts along the way could grab your mail, which is, unless YOU encrypt it, pretty much transmitted in clear text, with very rare exceptions. Any of those hosts could store and analyze your mail, too. There's nothing stopping them. It's a direct result of the Internet's decentralized nature.

    Anyone who expects that unencrypted Internet e-mail is private is very sadly mistaken.

    --
    My blog
  6. Re:Uh-oh.. by Anonymous Coward · · Score: 1, Insightful

    > who in the their right mind would send sensitive information over e-mail

    My mom. And yours.

  7. Re:Google fix by Tim+U. · · Score: 2, Insightful
    FTFA

    "We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials," Ms. Boralv said. "Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues."
    Is this really true? To me it looks like they were simply taking variables from a successful login process, and substituting them into a login process that would normally have failed.

    Or did I miss something...