Google Corrects Gmail Security Flaw

0110011001110101 writes "Google said Wednesday it has fixed a problem in its widely used email program that allowed hackers to break into peoples Gmail accounts to read messages and pose as legitimate email users. Security researchers in Spain exposed a flaw in the way Google authenticates its users, allowing the breach in the system that counts more than 5 million users. The process for exploiting Gmail was posted to a hacker web site." From the article: "Google spokesperson Sonya Boralv said only users who supplied information to the hackers were potentially vulnerable. 'We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials,' Ms. Boralv said. 'Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues.'"

While they're there...

[Threni]

...they could alter the URLS they serve up such that httpS is used instead of crappy old http. The former works if you remember to edit it manually every time you log in, but that's tedious.

Re:While they're there...

[timster]

If you make your bookmark https://mail.google.com/ it will present both the login and the rest of the site via HTTPS.

So hackers can't get in now...

[Galius+Persnickety]

So hackers can't get in now if I give them my credentials?

Re:In preply to the torrent of dumbness....

[BushCheney08]

You forgot to post the link to the torrent

wait a minute

[wolfgang_spangler]

The site says Google fixed the problem on October 18, four days after a security researcher called ANELKAOS alerted the company to the problem. Google didn't make a public announcement about the problem. Companies such as Microsoft typically alert their users to security flaws in their software.

So I am to believe that when someone makes a security flaw known to Microsoft they immediately make it public? They don't try to fix it or even shush the person who lets them know? The news is full of stories about security researchers who try to let Microsoft know about a problem only to see it not fixed for a long time. Then if the researcher lets the public know Microsoft goes berserk.

4 days seems like a pretty good time to patch a flaw that sounds as low risk as this one did.

1-2-3-4-5

[rolandog]

That's amazing. I got the same combination on my luggage.

Re:Grammar Police

[MSantiago]

"While the hacker website that published the exploit is safe from Criminal Prosecution, they may still get a visit from the Grammar Police Then again, its a spanish language site, so I give them kudos for finding someone whose English isn't terrible to write it up for them."

Hate to do this to you, but when someone starts criticizing someone else's grammar, they'd better use proper grammar, punctuation, spelling, and capitalization in their own posts.

For starters, "Criminal Prosecution" isn't a proper noun and shouldn't be capitalized. Also, "its" is not being used in its possessive form. Rather, it's a contraction of "it is" and should contain an apostrophe. Lastly, "spanish" must be capitalized.

Google fix

[spurtle15]

FTFA

"We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials," Ms. Boralv said. "Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues."

Fix:

From: Google
To: Gmail users
Subject: Security Bug

To all Gmail users:

Please do not give out your user name and password.

Thank you. That is all.

Re:A very timely fix unlike M$

[generic-man]

When Hotmail was hacked 6 years ago, Microsoft sealed off the problem within a day. Google is incredibly slow.