Teenage Blogger Finds Gmail Hole

cpm80 wrote to mention the news that a 14 year old blogger has identified a security hole in the Gmail webmail service. From the Network World article: "He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane, he wrote. But if the code is mailed from one Gmail account to another, it is filtered out, he said. Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed."

Re:Security flaw?

[DieNadel]

It could be used for Cross-Site Scripting (XSS), for instance, meaning that someone could send you an email and collect information on you, or make you think you're on google, but really be on another site, etc.

The preview pane is what you see before you read the message (when the list of messages is displayed - e.g. your Inbox).

Gmail security can be over agressive too

[frovingslosh]

Unfortunately, I find I have problems with Gmail security the other way. Gmail blocks outbound attachments with exe files, even when those files are included inside zip files. I write programs and occasionally have to e-mail a client a change. Yet, unless I want to try to get my low-tech users to use more tools to help me sneak something past the Gmail filtering, I have to use a second e-mail account when I want to send out EXE files.

I'm all for Google not doing stupid things on their web interface, but I don't think they should be encouraged to be even more agressive and invasive as to what we send and receive in our e-mail. Claiming you are doing this for the users' protection just assumes that all of your users are idiots, and if you build a system that repeatedly makes that assumption then eventually all of your users will be idiots, as you will drive the others away.

Re:Gmail security can be over agressive too

[drinkypoo]

Gmail's is the intended behavior. Use FTP for EXEs, or even CDs.

No.

Why don't you stop telling people how to use their computers. I want to email executables to people on occasion. It's easy. It works. Well, normally it works, unless you're using gmail.

Re:Gmail security can be over agressive too

[drinkypoo]

Or Outlook. Or several other capable email programs. Essentially, your suggestion is that general security should be sacrificed because lazy people sometimes want to send executable files? That's weak, friend.

Sometimes they want to send zip files with .exe files in them, too, but you can't do that either. If I want to just dash a zip file with an installer (or just a program that doesn't require installation, just unpacking) off to someone, I have to rename the zip file extension, and then they have to rename it, or I have to go into the zip file and rename the .exe, which they have to rename. It's not that I'm not capable of it, because clearly I am - I can string words together into sentences, and have more than two neurons to rub together - but that I think it's lame. At the very least I should have a configuration option I can use to turn off that behavior.

Email programs SHOULD block exe files. If you are smart enough to send an exe that makes sense, you're smart enough to rename it. Period.

Why should I have to fuck around just because people are stupid? The best reason to block .exe attachments outgoing is to stop worms from propagating. However, worms can pick a filename for an .exe like .exe.delete-this-extension just like anyone else can, so it won't help there, it only causes people to modify their tactics. Also, google shouldn't be susceptible to spreading a worm attack (barring javascript FUBARs) because you can't run code on gmail anyway.

A better behavior would be to harass people who download .exes and tell them that they may summon satan all over their hard drive, so that those of us who have legitimate reasons to send them aren't punished for the stupidity of others.

Re:Gmail security can be over agressive too

[fatphil]

"Essentially, your suggestion is that general security should be sacrificed ..."

Complete straw man, drinkypoo suggested nothing of the sort.

The _sacrifice_ in security is the use of insecure clients and/or insecure OSes. Bits are bits, bytes are bytes, no bits or bytes are more insecure than any other bits or bytes - it's the actions performed on those bits or bytes that can be insecure.

The lazy people are the people who don't go to enough effort to install secure software.

FP.

Re:Email is probably the wrong tool for this task

[RedWizzard]

The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such files (that is what I do anyways).

What do you think the point of attachments is? Email is designed for small file transfer. And it's the most convienient way to do peer to peer file transfer we have. FTP requires a server so it is fine as a central repository, but it is not good adhoc transfers between people.

Stop The Presses!!!

[johnkoer]

There is a bug in a piece of beta software??? That is unheard of.

if you take the story at face value,

[museumpeace]

it certainly underscores a strength of web based applications: It was looking like a bug one morning but by afternoon, only fixed versions of the code were to be found. Centralized reloading of gmail's servers means everybody got the fix at the same time more or less. What would the time line of such a security hole be if it occured in Outlook? Eudora?

Re:So the attention grabber headline is...

[geobeck]

*sigh*... All of the thoughtful, serious replies I've given to /. topics, and my first +5 comes from a crack like this.

(No pun intended.)

Re:-- oh and that they read Digg... :-)

[hamoe]

Yes. Certainly more mature posters, at least when I don't read at -1.

Re:-- oh and that they read Digg... :-)

[rm69990]

The quality of some of the submitted stories on Digg is absolutely pathetic. And 99% of the comments are one liners written by complete morons. So yes, Slashdot has better stuff. When reading the news, I care about quality over quantity and speed.

Some examples from the front page of Digg.com:

--"Women will get sterile just looking at you", Star Wars fans uncool??

A man was so bold as to blog that being a hard core Star Wars fan is social suicide. He backed up his statement with some hilarious convention pics and captions.

--Hidden task killer in Windows XP!

Most people probably know that Windows XP comes with a darn useful task killer. Lets you kill anything automatically!

--Zombie MMO???

A buddy of mine just forwarded me this link. Turns out the name mean lifeless in Latin. Does anyone know anything about this? I'm a HUGE Zombie and HUGE MMO fan!!!

--EA's Exclusive Contract With The NFL May Be Voided!

If the dispute between the NFLPA and the NFL continues then anti-trust rules will apply. If this happens then EA's contract is null and void!

--LEGO brick USB drive

The perfect USB drive. Why doesn't LEGO sell these?

So what is Digg? A news site, or a place for geeks to dump their filth? Sorry, I don't go out of my way online to read garbage, and that includes teasers written by retards. And I'm not even going to bother replicating some of the comments here.