Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Corrects Gmail Security Flaw

Posted by Zonk on from the seekrit-communications dept.

0110011001110101 writes "Google said Wednesday it has fixed a problem in its widely used email program that allowed hackers to break into peoples Gmail accounts to read messages and pose as legitimate email users. Security researchers in Spain exposed a flaw in the way Google authenticates its users, allowing the breach in the system that counts more than 5 million users. The process for exploiting Gmail was posted to a hacker web site." From the article: "Google spokesperson Sonya Boralv said only users who supplied information to the hackers were potentially vulnerable. 'We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials,' Ms. Boralv said. 'Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues.'"

9 of 209 comments (clear)

  1. While they're there... by Threni · · Score: 4, Interesting

    ...they could alter the URLS they serve up such that httpS is used instead of crappy old http. The former works if you remember to edit it manually every time you log in, but that's tedious.

  2. Grammar Police by TubeSteak · · Score: 2, Interesting
    "Motives are more than obvious because ALL Gmail accounts was vulnerable to the bug."
    While the hacker website that published the exploit is safe from Criminal Prosecution, they may still get a visit from the Grammar Police

    Then again, its a spanish language site, so I give them kudos for finding someone whose English isn't terrible to write it up for them.
    --
    [Fuck Beta]
    o0t!
  3. wait a minute by wolfgang_spangler · · Score: 4, Interesting

    The site says Google fixed the problem on October 18, four days after a security researcher called ANELKAOS alerted the company to the problem. Google didn't make a public announcement about the problem. Companies such as Microsoft typically alert their users to security flaws in their software.

    So I am to believe that when someone makes a security flaw known to Microsoft they immediately make it public? They don't try to fix it or even shush the person who lets them know? The news is full of stories about security researchers who try to let Microsoft know about a problem only to see it not fixed for a long time. Then if the researcher lets the public know Microsoft goes berserk.

    4 days seems like a pretty good time to patch a flaw that sounds as low risk as this one did.

    1. Re:wait a minute by slashkitty · · Score: 2, Interesting

      There is also a HUGE difference between SERVER applications like gmail and desktop software from Microsoft. With Gmail, none of the users need to update their computers to get the fix, while with Microsoft, everyone has to update their computer to get the fix. Who knows how many fixes Google has put in since gmail went live.

      --
      -- these are only opinions and they might not be mine.
  4. Are you sure they fixed it? by xxxJonBoyxxx · · Score: 3, Interesting

    If I'm reading this correctly, the security researcher thinks that Google has fixed only one of the three bugs that open up this door...thus the public pronouncement.

    "But if they would have recognized it and published a thank you note, this information wouldn't had been published. We have 3 ways to get to the same result, the others 2 are quite easier, and because of that easily we can deduce that it's a multibug, and a design error. With all these clues, they will not take too much to discover new methods."

  5. Re:A very timely fix unlike M$ by ergo98 · · Score: 2, Interesting

    You might get a little more credibility if you canned the circa-1997 "M$" nonsense.

    Say what you will about Google, but 4 days is fast.

    4 days to fix a security vulnerability in a web app is INCREDIBLY SLOW. Anyways, obviously it's a little easier to patch a website, especially when you have a highly tolerant client base. This is the same Google, though, that released a desktop search that was so terribly security defective that it's hard to believe that their hiring practices are even remotely as selective as they imagine.

  6. Re:not perfect by bonk · · Score: 2, Interesting

    Are companies now obligated to make press releases every time they fix a bug? With a full listing of every person and organization that contributed to the discovery and fix of the bug? I would rather that they didn't. Especially if it's going to say "Thanks to AnelKaos".

    Someone pointed out a bug and Google fixed it within a reasonable time limit and went back to their jobs.

    --
    I hope to die peacefully in my sleep like grandpa, not screaming like his passengers.
  7. Re:A very timely fix unlike M$ by Anonymous Coward · · Score: 2, Interesting

    No matter how you slice it: 1 day to fix a vulnerability in web app is fast. 4 days is slow. And even if these exploits differed in the way you seem to think they are, it wouldn't be "completely different."

    However, they aren't. The Google press release is false and I can't believe -- I just can't believe -- that the whole friggin' Slashdot crowd bought that crap hook, line and sinker. Read the linked article about the actual exploit. This is every bit as serious as the Hotmail hack.

  8. Re:In preply to the torrent of dumbness... by bman08 · · Score: 2, Interesting

    It's true, my wife's paypal account was hijacked last week by someone looking her her gmail account, probably by this very exploit. Luckily, the kid was a moron who immediately started forwarding all her mail to his own yahoo.it box. A sojourn through the gmail trashcan turned up a paypal receipt for an IRC hosting package. Needless to say panicked overreaction ensued, passwords were changed, credit cards cancelled, another windows install was replaced with Ubuntu. It's nice to know now, maybe/probably, what the problem was and the limits of our exposure. I also did, during this period, suddenly realize that keeping everything on gmail means keeping EVERYTHING on gmail. We've not used paypal in at least a year, but still, there it was in the archive.