Google Corrects Gmail Security Flaw

← Back to Stories (view on slashdot.org)

Google Corrects Gmail Security Flaw

Posted by Zonk on Friday November 18, 2005 @04:42AM from the seekrit-communications dept.

0110011001110101 writes "Google said Wednesday it has fixed a problem in its widely used email program that allowed hackers to break into peoples Gmail accounts to read messages and pose as legitimate email users. Security researchers in Spain exposed a flaw in the way Google authenticates its users, allowing the breach in the system that counts more than 5 million users. The process for exploiting Gmail was posted to a hacker web site." From the article: "Google spokesperson Sonya Boralv said only users who supplied information to the hackers were potentially vulnerable. 'We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials,' Ms. Boralv said. 'Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues.'"

47 of 209 comments (clear)

In preply to the torrent of dumbness.... by KinkoBlast · 2005-11-18 04:46 · Score: 3, Insightful

Google does NOT read every email. It goes through a computerised filter to supply ads. No different than a spam filter. How come no one complains about Yahoo, MSN, and 99% of other email providers, free or not?
1. Re:In preply to the torrent of dumbness.... by BushCheney08 · 2005-11-18 04:54 · Score: 4, Funny
  
  You forgot to post the link to the torrent
  
  --
  Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
2. Re:In preply to the torrent of dumbness.... by sp5 · 2005-11-18 04:54 · Score: 2, Insightful
  
  Google does NOT read every email. It goes through a computerised filter to supply ads.
  Does anyone really think their personal email is so damn interesting that someone else would actually want to read it??
  If you think that, get over yourself!
3. Re:In preply to the torrent of dumbness.... by bhtooefr · 2005-11-18 05:16 · Score: 2, Insightful
  
  Well, technically, it could be viewed as a spamfilter with x number of buckets, x being the number of keywords available in adsense.
  
  A message would be scored on each keyword, and get sorted into one or more buckets based on how it scored on each keyword.
  
  There are spam filters that work exactly like that. POPfile comes to mind.
4. Re:In preply to the torrent of dumbness.... by Momoru · 2005-11-18 05:24 · Score: 2, Informative
  
  Because those filters are passive, as Googles are active...they send the content of your email to a server to determine which ads to send you, and then send the results of clicking any ads back to their server and log everything in between. So in theory someone just looking at the google logs could tell that your email contained words like "cheating" "wife" "cocaine" etc, because you were served ads for those. I doubt google has the time to do such things, but in theory the data is there.
While they're there... by Threni · 2005-11-18 04:48 · Score: 4, Interesting

...they could alter the URLS they serve up such that httpS is used instead of crappy old http. The former works if you remember to edit it manually every time you log in, but that's tedious.
1. Re:While they're there... by timster · 2005-11-18 04:54 · Score: 5, Informative
  
  If you make your bookmark https://mail.google.com/ it will present both the login and the rest of the site via HTTPS.
  
  --
  I have seen the future, and it is inconvenient.
2. Re:While they're there... by blcknight · 2005-11-18 04:56 · Score: 2, Informative
  
  There is a User Script for Greasemonkey that will automatically make gmail use SSL:
  
  http://userscripts.org/scripts/show/1404
  
  There's also a host of other user scripts for gmail:
  http://userscripts.org/tag/gmail
3. Re:While they're there... by skiman1979 · 2005-11-18 05:58 · Score: 2, Informative
  
  I've always just typed 'gmail.google.com' (without the quotes) to check my gmail account. That always redirects me to https://mail.google.com/mail/... I noticed though when I enter my user/pass and click 'login' the URL quickly jumps to http:// and then immediately back to https:// and stays there for the rest of the session.
  
  --
  Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.
4. Re:While they're there... by wx327 · 2005-11-18 06:07 · Score: 2, Informative
  
  For those complaining about the switch to http, just bookmark https://mail.google.com/mail/
Grammar Police by TubeSteak · 2005-11-18 04:48 · Score: 2, Interesting

"Motives are more than obvious because ALL Gmail accounts was vulnerable to the bug."
While the hacker website that published the exploit is safe from Criminal Prosecution, they may still get a visit from the Grammar Police

Then again, its a spanish language site, so I give them kudos for finding someone whose English isn't terrible to write it up for them.

--
[Fuck Beta]
o0t!
1. Re:Grammar Police by richdun · 2005-11-18 04:58 · Score: 2, Funny
  
  Then again, its a spanish language site, so I give them kudos for finding someone whose English isn't terrible to write it up for them.
  
  Uh, we have a 226 in progress: used "its" instead of "it's"
2. Re:Grammar Police by MSantiago · 2005-11-18 05:00 · Score: 5, Funny
  
  "While the hacker website that published the exploit is safe from Criminal Prosecution, they may still get a visit from the Grammar Police Then again, its a spanish language site, so I give them kudos for finding someone whose English isn't terrible to write it up for them."
  
  Hate to do this to you, but when someone starts criticizing someone else's grammar, they'd better use proper grammar, punctuation, spelling, and capitalization in their own posts.
  
  For starters, "Criminal Prosecution" isn't a proper noun and shouldn't be capitalized. Also, "its" is not being used in its possessive form. Rather, it's a contraction of "it is" and should contain an apostrophe. Lastly, "spanish" must be capitalized.
3. Re:Grammar Police by kelnos · 2005-11-18 05:42 · Score: 2, Informative
  
  Hate to do this to you, but you don't need to put a comma between the word 'spelling' and the word 'and,' it is not necessary.
  True, but that's not a grammar issue; it's a style issue. The "extra" comma is perfectly valid.
  
  And to continue the trend... I hate to do this to you, but the last comma in your sentence should be a semicolon (and moved outside the single quotes).
  
  --
  Xfce: Lighter than some, heavier than others. Just right.
A very timely fix unlike M$ by gasmonso · 2005-11-18 04:48 · Score: 3, Insightful

"The site says Google fixed the problem on October 18, four days after a security researcher called ANELKAOS alerted the company to the problem."

Say what you will about Google, but 4 days is fast. I think Microsoft takes weeks, if not months to fix problems. As a matter of fact, I bet there are vulnerabilities that are years old. Not to mention that M$ gets angry whenever a security group points out a bug.
gasmonso http://religiousfreaks.com/
1. Re:A very timely fix unlike M$ by Red+Flayer · 2005-11-18 04:58 · Score: 2, Funny
  
  "a security researcher called ANELKAOS alerted the company to the problem"
  
  If someone named ANALCHAOS told me I had a bug, you bet I'd look into that right away.
  
  --
  "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
2. Re:A very timely fix unlike M$ by generic-man · 2005-11-18 05:01 · Score: 4, Informative
  
  When Hotmail was hacked 6 years ago, Microsoft sealed off the problem within a day. Google is incredibly slow.
  
  --
  For more information, click here.
3. Re:A very timely fix unlike M$ by ergo98 · 2005-11-18 05:09 · Score: 2, Interesting
  
  You might get a little more credibility if you canned the circa-1997 "M$" nonsense.
  
  Say what you will about Google, but 4 days is fast.
  
  4 days to fix a security vulnerability in a web app is INCREDIBLY SLOW. Anyways, obviously it's a little easier to patch a website, especially when you have a highly tolerant client base. This is the same Google, though, that released a desktop search that was so terribly security defective that it's hard to believe that their hiring practices are even remotely as selective as they imagine.
4. Re:A very timely fix unlike M$ by slashkitty · 2005-11-18 05:17 · Score: 2, Insightful
  
  uhm, yeah, but that was a MUCH bigger hole. All you need for the hotmail bug was the victim's email address. (for a bug like that, they should have shut down the whole system until it was fixed) For google, you need their authentication token... which, is probably a problem for a lot of sites... not a super duper high priority bug if you ask me.
  
  --
  -- these are only opinions and they might not be mine.
5. Re:A very timely fix unlike M$ by darkmeridian · 2005-11-18 05:20 · Score: 2, Informative
  
  Hold up a second. The MS Hotmail flaw allowed anyone's Hotmail account to be compromised by going to a MS website and typing in the e-mail account they wanted to hack. The GMail flaw requires an user to send their certificate information to the hacker. The Hotmail flaw was much more significant and easier to fix: disable the second website (or at least ask for a secret question).
  
  --
  A NYC lawyer blogs. http://www.chuangblog.com/
6. Re:A very timely fix unlike M$ by bannerman · 2005-11-18 05:24 · Score: 3, Informative
  
  This is completely different. The Hotmail hack allowed anyone to view anyone else's Hotmail account, with nothing more than a username. The Gmail hack allowed someone with access to another person's web traffic or hard drive to get access to their Gmail account. If you give them that much, you might as well give them your password as well, just for convenience' sake.
  
  --
  I keep forgetting my place. Jesus is for losers. Why do I still play to the crowd?
7. Re:A very timely fix unlike M$ by Bogtha · 2005-11-18 05:41 · Score: 2, Informative
  
  Google is incredibly slow.
  
  Definitely. Google ignored a security hole for two years and don't understand Javascript well enough to fix it properly.
  
  --
  Bogtha Bogtha Bogtha
8. Re:A very timely fix unlike M$ by karmatic · 2005-11-18 05:58 · Score: 2, Informative
  
  Actually, if you read the exploit, cookie stealing was not necessary. Just a little cookie manipulation, and looking at some JavaScript.
9. Re:A very timely fix unlike M$ by Anonymous Coward · 2005-11-18 06:31 · Score: 2, Interesting
  
  No matter how you slice it: 1 day to fix a vulnerability in web app is fast. 4 days is slow. And even if these exploits differed in the way you seem to think they are, it wouldn't be "completely different."
  
  However, they aren't. The Google press release is false and I can't believe -- I just can't believe -- that the whole friggin' Slashdot crowd bought that crap hook, line and sinker. Read the linked article about the actual exploit. This is every bit as serious as the Hotmail hack.
So hackers can't get in now... by Galius+Persnickety · 2005-11-18 04:49 · Score: 5, Funny

So hackers can't get in now if I give them my credentials?
1. Re:So hackers can't get in now... by z0idberg · 2005-11-18 05:13 · Score: 2, Funny
  
  no, silly. RTFA...they fixed it. So even if you do give them your credentials they still cant get in. Now thats what I call SECURITY!
Uh-oh.. by Chabil+Ha' · 2005-11-18 04:54 · Score: 2, Informative

Gee, I hope that no one was able to see that I store my SS#, CC#, and username/passwords for every site that I use. This could really be bad! The last time I checked, this was Beta software anyway, and if it was a concern, realize that most people weren't concerned when they got google eyed for a 2GB account. Get serious, who in the their right mind would send sensitive information over e-mail anyway???

--
We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
wait a minute by wolfgang_spangler · 2005-11-18 04:55 · Score: 4, Interesting

The site says Google fixed the problem on October 18, four days after a security researcher called ANELKAOS alerted the company to the problem. Google didn't make a public announcement about the problem. Companies such as Microsoft typically alert their users to security flaws in their software.

So I am to believe that when someone makes a security flaw known to Microsoft they immediately make it public? They don't try to fix it or even shush the person who lets them know? The news is full of stories about security researchers who try to let Microsoft know about a problem only to see it not fixed for a long time. Then if the researcher lets the public know Microsoft goes berserk.

4 days seems like a pretty good time to patch a flaw that sounds as low risk as this one did.
1. Re:wait a minute by slashkitty · 2005-11-18 05:09 · Score: 2, Interesting
  
  There is also a HUGE difference between SERVER applications like gmail and desktop software from Microsoft. With Gmail, none of the users need to update their computers to get the fix, while with Microsoft, everyone has to update their computer to get the fix. Who knows how many fixes Google has put in since gmail went live.
  
  --
  -- these are only opinions and they might not be mine.
2. Re:wait a minute by 93+Escort+Wagon · 2005-11-18 05:15 · Score: 2, Funny
  
  The site says Google fixed the problem on October 18, four days after a security researcher called ANELKAOS alerted the company to the problem. Google didn't make a public announcement about the problem. Companies such as Microsoft typically alert their users to security flaws in their software.
  
  Huh? So apparently this person thinks all security holes in Windows are discovered on the second Tuesday of each month?
  
  Microsoft, like many companies, doesn't disclose most security holes until it has patched them. When they are really severe, they will sometimes disclose them as soon as they have a work-around. But I can't recall Microsoft ever saying "hey, someone just reported this bad security hole - good luck to you!"
  
  --
  #DeleteChrome
not perfect by TubeSteak · 2005-11-18 04:55 · Score: 2, Insightful

Nobody writes perfect software
from TFA:
"OK, it's a Beta version, and they don't have to report anything. But if they would have recognized it and published a thank you note, this information wouldn't had been published. We have 3 ways to get to the same result, the others 2 are quite easier, and because of that easily we can deduce that it's a multibug, and a design error. With all these clues, they will not take too much to discover new methods."

The only reason we're seeing this is because Google didn't give 'em credit for finding the bug. Shame on Google, because apparently this problem might get worse before it gets better.

--
[Fuck Beta]
o0t!
1. Re:not perfect by bonk · 2005-11-18 05:18 · Score: 2, Interesting
  
  Are companies now obligated to make press releases every time they fix a bug? With a full listing of every person and organization that contributed to the discovery and fix of the bug? I would rather that they didn't. Especially if it's going to say "Thanks to AnelKaos".
  
  Someone pointed out a bug and Google fixed it within a reasonable time limit and went back to their jobs.
  
  --
  I hope to die peacefully in my sleep like grandpa, not screaming like his passengers.
Re:Better than POP? by generic-man · 2005-11-18 04:57 · Score: 2, Informative

AIM mail gives you 2 GB of free space and IMAP access so you can use it from a real mail client. All you need is an AIM screen name.

For my personal mail I use Fastmail, IMAP mail with excellent server-side filtering. They had a brief outage last weekend, but aside from that they've been rock-solid for the last 2 years. They don't offer you enough storage space to make a warez repository out of your inbox, but it would take me a decade to fill up my 600 MB account.

--
For more information, click here.
And No Rollout Necessary by Anonymous Coward · 2005-11-18 04:57 · Score: 3, Insightful

The good thing about this is that now, everyone benefits from the fixes. Instantly.

No more issuing patches, fixes, service packs, or whatever, like there is with distributed packages.
1-2-3-4-5 by rolandog · 2005-11-18 04:58 · Score: 4, Funny

That's amazing. I got the same combination on my luggage.
Great news! by theSpaceCow · 2005-11-18 04:58 · Score: 3, Funny

See, up until now, if you knowingly gave hackers your credentials, they'd be able to log on to your account with them. But now Google's refined their system to the point that even if you give out your personal information, hackers can't get in!

It's really very simple. They simply cycle through every Google ad you've ever clicked on (to find potential phishers), geo-locate the IP trying to log on and cross-reference it to the "From" location in most of your Google Maps directions searches, attempt to visually identify you from any webcam pictures they may have cached, calculate the speed in which the username/password was typed in compared to the "keyboard profile" they have on file from all your searches, and compare the logon time to your typical usage times for GMail and Google Talk.

Perfect security. At least, from everybody but Google.

--
I support the separation of oil and state.
Google fix by spurtle15 · 2005-11-18 05:00 · Score: 5, Funny

FTFA

"We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials," Ms. Boralv said. "Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues."

Fix:

From: Google
To: Gmail users
Subject: Security Bug

To all Gmail users:

Please do not give out your user name and password.

Thank you. That is all.
1. Re:Google fix by Tim+U. · 2005-11-18 06:27 · Score: 2, Insightful
  
  FTFA
  
  "We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials," Ms. Boralv said. "Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues."
  Is this really true? To me it looks like they were simply taking variables from a successful login process, and substituting them into a login process that would normally have failed.
  
  Or did I miss something...
Are you sure they fixed it? by xxxJonBoyxxx · 2005-11-18 05:05 · Score: 3, Interesting

If I'm reading this correctly, the security researcher thinks that Google has fixed only one of the three bugs that open up this door...thus the public pronouncement.

"But if they would have recognized it and published a thank you note, this information wouldn't had been published. We have 3 ways to get to the same result, the others 2 are quite easier, and because of that easily we can deduce that it's a multibug, and a design error. With all these clues, they will not take too much to discover new methods."
Re:Question by Woldry · 2005-11-18 05:16 · Score: 2, Funny

No, you need a different Google hack for that.

--
How can a post be modded "overrated" or "underrated" when it hasn't been rated yet?
Re:Why doesn't this news make me feel any safer? by morgan_greywolf · 2005-11-18 05:22 · Score: 3, Insightful

I completely disagree with EPIC's privacy analysis of Gmail's "content extraction" techniques.

First off, whether the ECPA extends to Internet e-mail has NOT been established. The ECPA was written in 1986 and at that time, most people's idea of an 'e-mail' service involved CompuServe or other proprietary mail services.

I doubt that anyone could have a reasonable expectation of privacy in regards to Internet e-mail. Mail can pass through so many servers and routers and such and ANY of those hosts along the way could grab your mail, which is, unless YOU encrypt it, pretty much transmitted in clear text, with very rare exceptions. Any of those hosts could store and analyze your mail, too. There's nothing stopping them. It's a direct result of the Internet's decentralized nature.

Anyone who expects that unencrypted Internet e-mail is private is very sadly mistaken.

--
My blog
Re:hope they implement a timeout too by (startx) · 2005-11-18 05:41 · Score: 2, Informative

The default behavior IS to log a user out when the browser is closed. The only way your girlfriend's account would stay logged in after closing the window is if she checked "Remember me on this computer" when logging in.
You're kidding!! by tomcres · 2005-11-18 05:59 · Score: 2, Funny

Gee, I hope that no one was able to see that I store my SS#, CC#, and username/passwords for every site that I use. This could really be bad! The last time I checked, this was Beta software anyway, and if it was a concern, realize that most people weren't concerned when they got google eyed for a 2GB account. Get serious, who in the their right mind would send sensitive information over e-mail anyway???
Up until today, I was including that info in my sig!!
Re:Why doesn't this news make me feel any safer? by ClearlyPennsylvania · 2005-11-18 06:01 · Score: 3, Informative

For what, exactly? Gmail doesn't provide your mail to any third parties - no, not even the context-dependent ad do that. Sure, there's a database of your emails somewhere... but every single email service has a database of your email. How is gmail a threat to your privacy?
What exactly is/was the exploit? by frankie · 2005-11-18 06:12 · Score: 3, Informative

I don't read either Spanish or Hackerspeak very well, so I may have misunderstood their explanation, but it sounded like the exploit requires the attacker to gain access to the source code of the login screen for a user who already has a valid Gmail cookie. In other words, Gmail sends (or used to send?) stealable authentication info in the html. Is that accurate? If so, I'd have to agree that's not Best Practices for web security.

Their screenshot walkthrough seemed like a mess. Which browser (and which URL) was associated with each of those source views?
Re:In preply to the torrent of dumbness... by bman08 · 2005-11-18 06:36 · Score: 2, Interesting

It's true, my wife's paypal account was hijacked last week by someone looking her her gmail account, probably by this very exploit. Luckily, the kid was a moron who immediately started forwarding all her mail to his own yahoo.it box. A sojourn through the gmail trashcan turned up a paypal receipt for an IRC hosting package. Needless to say panicked overreaction ensued, passwords were changed, credit cards cancelled, another windows install was replaced with Ubuntu. It's nice to know now, maybe/probably, what the problem was and the limits of our exposure. I also did, during this period, suddenly realize that keeping everything on gmail means keeping EVERYTHING on gmail. We've not used paypal in at least a year, but still, there it was in the archive.
Also A Security Hole in Google Base by miller60 · 2005-11-18 07:05 · Score: 2, Informative

Google also has fixed a security hole in Google Base, which could have exposed sensitive information stored by users of Google's services. From the article:
"Google's move towards a single Google Account for multiple services exacerbates the problem, as the same account used by the Google Base site can also be used to access financially sensitive services such as AdWords and AdSense, and Google's GMail webmail service."

--
RichM
Data Center Knowledge