Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Corrects Gmail Security Flaw

Posted by Zonk on from the seekrit-communications dept.

0110011001110101 writes "Google said Wednesday it has fixed a problem in its widely used email program that allowed hackers to break into peoples Gmail accounts to read messages and pose as legitimate email users. Security researchers in Spain exposed a flaw in the way Google authenticates its users, allowing the breach in the system that counts more than 5 million users. The process for exploiting Gmail was posted to a hacker web site." From the article: "Google spokesperson Sonya Boralv said only users who supplied information to the hackers were potentially vulnerable. 'We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials,' Ms. Boralv said. 'Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues.'"

18 of 209 comments (clear)

  1. In preply to the torrent of dumbness.... by KinkoBlast · · Score: 3, Insightful

    Google does NOT read every email. It goes through a computerised filter to supply ads. No different than a spam filter. How come no one complains about Yahoo, MSN, and 99% of other email providers, free or not?

    1. Re:In preply to the torrent of dumbness.... by BushCheney08 · · Score: 4, Funny

      You forgot to post the link to the torrent

      --
      Be a real patriot: Question authority. Think for yourself. Formulate your own conclusions.
  2. While they're there... by Threni · · Score: 4, Interesting

    ...they could alter the URLS they serve up such that httpS is used instead of crappy old http. The former works if you remember to edit it manually every time you log in, but that's tedious.

    1. Re:While they're there... by timster · · Score: 5, Informative

      If you make your bookmark https://mail.google.com/ it will present both the login and the rest of the site via HTTPS.

      --
      I have seen the future, and it is inconvenient.
  3. A very timely fix unlike M$ by gasmonso · · Score: 3, Insightful
    "The site says Google fixed the problem on October 18, four days after a security researcher called ANELKAOS alerted the company to the problem."

    Say what you will about Google, but 4 days is fast. I think Microsoft takes weeks, if not months to fix problems. As a matter of fact, I bet there are vulnerabilities that are years old. Not to mention that M$ gets angry whenever a security group points out a bug.

    gasmonso http://religiousfreaks.com/
    1. Re:A very timely fix unlike M$ by generic-man · · Score: 4, Informative

      When Hotmail was hacked 6 years ago, Microsoft sealed off the problem within a day. Google is incredibly slow.

      --
      For more information, click here.
    2. Re:A very timely fix unlike M$ by bannerman · · Score: 3, Informative

      This is completely different. The Hotmail hack allowed anyone to view anyone else's Hotmail account, with nothing more than a username. The Gmail hack allowed someone with access to another person's web traffic or hard drive to get access to their Gmail account. If you give them that much, you might as well give them your password as well, just for convenience' sake.

      --
      I keep forgetting my place. Jesus is for losers. Why do I still play to the crowd?
  4. So hackers can't get in now... by Galius+Persnickety · · Score: 5, Funny

    So hackers can't get in now if I give them my credentials?

  5. wait a minute by wolfgang_spangler · · Score: 4, Interesting

    The site says Google fixed the problem on October 18, four days after a security researcher called ANELKAOS alerted the company to the problem. Google didn't make a public announcement about the problem. Companies such as Microsoft typically alert their users to security flaws in their software.

    So I am to believe that when someone makes a security flaw known to Microsoft they immediately make it public? They don't try to fix it or even shush the person who lets them know? The news is full of stories about security researchers who try to let Microsoft know about a problem only to see it not fixed for a long time. Then if the researcher lets the public know Microsoft goes berserk.

    4 days seems like a pretty good time to patch a flaw that sounds as low risk as this one did.

  6. And No Rollout Necessary by Anonymous Coward · · Score: 3, Insightful

    The good thing about this is that now, everyone benefits from the fixes. Instantly.

    No more issuing patches, fixes, service packs, or whatever, like there is with distributed packages.

  7. 1-2-3-4-5 by rolandog · · Score: 4, Funny

    That's amazing. I got the same combination on my luggage.

  8. Great news! by theSpaceCow · · Score: 3, Funny

    See, up until now, if you knowingly gave hackers your credentials, they'd be able to log on to your account with them. But now Google's refined their system to the point that even if you give out your personal information, hackers can't get in!

    It's really very simple. They simply cycle through every Google ad you've ever clicked on (to find potential phishers), geo-locate the IP trying to log on and cross-reference it to the "From" location in most of your Google Maps directions searches, attempt to visually identify you from any webcam pictures they may have cached, calculate the speed in which the username/password was typed in compared to the "keyboard profile" they have on file from all your searches, and compare the logon time to your typical usage times for GMail and Google Talk.

    Perfect security. At least, from everybody but Google.

    --
    I support the separation of oil and state.
  9. Re:Grammar Police by MSantiago · · Score: 5, Funny
    "While the hacker website that published the exploit is safe from Criminal Prosecution, they may still get a visit from the Grammar Police Then again, its a spanish language site, so I give them kudos for finding someone whose English isn't terrible to write it up for them."


    Hate to do this to you, but when someone starts criticizing someone else's grammar, they'd better use proper grammar, punctuation, spelling, and capitalization in their own posts.

    For starters, "Criminal Prosecution" isn't a proper noun and shouldn't be capitalized. Also, "its" is not being used in its possessive form. Rather, it's a contraction of "it is" and should contain an apostrophe. Lastly, "spanish" must be capitalized.
  10. Google fix by spurtle15 · · Score: 5, Funny

    FTFA

    "We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials," Ms. Boralv said. "Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues."

    Fix:

    From: Google
    To: Gmail users
    Subject: Security Bug

    To all Gmail users:

    Please do not give out your user name and password.

    Thank you. That is all.

  11. Are you sure they fixed it? by xxxJonBoyxxx · · Score: 3, Interesting

    If I'm reading this correctly, the security researcher thinks that Google has fixed only one of the three bugs that open up this door...thus the public pronouncement.

    "But if they would have recognized it and published a thank you note, this information wouldn't had been published. We have 3 ways to get to the same result, the others 2 are quite easier, and because of that easily we can deduce that it's a multibug, and a design error. With all these clues, they will not take too much to discover new methods."

  12. Re:Why doesn't this news make me feel any safer? by morgan_greywolf · · Score: 3, Insightful

    I completely disagree with EPIC's privacy analysis of Gmail's "content extraction" techniques.

    First off, whether the ECPA extends to Internet e-mail has NOT been established. The ECPA was written in 1986 and at that time, most people's idea of an 'e-mail' service involved CompuServe or other proprietary mail services.

    I doubt that anyone could have a reasonable expectation of privacy in regards to Internet e-mail. Mail can pass through so many servers and routers and such and ANY of those hosts along the way could grab your mail, which is, unless YOU encrypt it, pretty much transmitted in clear text, with very rare exceptions. Any of those hosts could store and analyze your mail, too. There's nothing stopping them. It's a direct result of the Internet's decentralized nature.

    Anyone who expects that unencrypted Internet e-mail is private is very sadly mistaken.

    --
    My blog
  13. Re:Why doesn't this news make me feel any safer? by ClearlyPennsylvania · · Score: 3, Informative

    For what, exactly? Gmail doesn't provide your mail to any third parties - no, not even the context-dependent ad do that. Sure, there's a database of your emails somewhere... but every single email service has a database of your email. How is gmail a threat to your privacy?

  14. What exactly is/was the exploit? by frankie · · Score: 3, Informative

    I don't read either Spanish or Hackerspeak very well, so I may have misunderstood their explanation, but it sounded like the exploit requires the attacker to gain access to the source code of the login screen for a user who already has a valid Gmail cookie. In other words, Gmail sends (or used to send?) stealable authentication info in the html. Is that accurate? If so, I'd have to agree that's not Best Practices for web security.

    Their screenshot walkthrough seemed like a mess. Which browser (and which URL) was associated with each of those source views?