Teenage Blogger Finds Gmail Hole

cpm80 wrote to mention the news that a 14 year old blogger has identified a security hole in the Gmail webmail service. From the Network World article: "He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane, he wrote. But if the code is mailed from one Gmail account to another, it is filtered out, he said. Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed."

So the story is?

[Osrin]

Something happened, he is not sure what, and now nobody can replicate it.

Stuff that matters huh?

Fixed

[hetairoi]

SANS Internet Storm Center says it's fixed. Seems pretty silly.

Re:Security flaw?

[triptolemus]

You're not dense, the article is...

He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane...

in *a* preview pane... what preview pane... where? Yahoo's preview pane? How is that google's problem?

I'm totally confused...

Re:Security flaw?

[DieNadel]

It could be used for Cross-Site Scripting (XSS), for instance, meaning that someone could send you an email and collect information on you, or make you think you're on google, but really be on another site, etc.

The preview pane is what you see before you read the message (when the list of messages is displayed - e.g. your Inbox).

Not surprising

[Bogtha]

Google have shown repeatedly that they don't understand how to deal with Javascript securely. Example.

Dude, he's 14!

[TCQuad]

This error should have been reported to Google and the appropriate mailing lists, not posted on a blog. Fortunately, Google responded quickly to resolve the issue before it caused damage.

If this was a security expert or professional programmer or the like, I'd agree. But he's 14! Teenagers nowadays can barely open a door without first blogging about the experience. He saw something, he said he saw something. Now he gets a little recognition, Google fixes it and everyone goes home happy.

Gmail security can be over agressive too

[frovingslosh]

Unfortunately, I find I have problems with Gmail security the other way. Gmail blocks outbound attachments with exe files, even when those files are included inside zip files. I write programs and occasionally have to e-mail a client a change. Yet, unless I want to try to get my low-tech users to use more tools to help me sneak something past the Gmail filtering, I have to use a second e-mail account when I want to send out EXE files.

I'm all for Google not doing stupid things on their web interface, but I don't think they should be encouraged to be even more agressive and invasive as to what we send and receive in our e-mail. Claiming you are doing this for the users' protection just assumes that all of your users are idiots, and if you build a system that repeatedly makes that assumption then eventually all of your users will be idiots, as you will drive the others away.

Re:Gmail security can be over agressive too

[TClevenger]

Rename the extension of the ZIP file to .Z instead of .ZIP. GMail passes it right through, and WinZip (as well as many other Windows-based tools) will still see it as a ZIP file and give it the correct icon, minimizing confusion on the part of users.

Re:Gmail security can be over agressive too

[drinkypoo]

Gmail's is the intended behavior. Use FTP for EXEs, or even CDs.

No.

Why don't you stop telling people how to use their computers. I want to email executables to people on occasion. It's easy. It works. Well, normally it works, unless you're using gmail.

Re:Gmail security can be over agressive too

[drinkypoo]

Or Outlook. Or several other capable email programs. Essentially, your suggestion is that general security should be sacrificed because lazy people sometimes want to send executable files? That's weak, friend.

Sometimes they want to send zip files with .exe files in them, too, but you can't do that either. If I want to just dash a zip file with an installer (or just a program that doesn't require installation, just unpacking) off to someone, I have to rename the zip file extension, and then they have to rename it, or I have to go into the zip file and rename the .exe, which they have to rename. It's not that I'm not capable of it, because clearly I am - I can string words together into sentences, and have more than two neurons to rub together - but that I think it's lame. At the very least I should have a configuration option I can use to turn off that behavior.

Email programs SHOULD block exe files. If you are smart enough to send an exe that makes sense, you're smart enough to rename it. Period.

Why should I have to fuck around just because people are stupid? The best reason to block .exe attachments outgoing is to stop worms from propagating. However, worms can pick a filename for an .exe like .exe.delete-this-extension just like anyone else can, so it won't help there, it only causes people to modify their tactics. Also, google shouldn't be susceptible to spreading a worm attack (barring javascript FUBARs) because you can't run code on gmail anyway.

A better behavior would be to harass people who download .exes and tell them that they may summon satan all over their hard drive, so that those of us who have legitimate reasons to send them aren't punished for the stupidity of others.

Re:Gmail security can be over agressive too

[fatphil]

"Essentially, your suggestion is that general security should be sacrificed ..."

Complete straw man, drinkypoo suggested nothing of the sort.

The _sacrifice_ in security is the use of insecure clients and/or insecure OSes. Bits are bits, bytes are bytes, no bits or bytes are more insecure than any other bits or bytes - it's the actions performed on those bits or bytes that can be insecure.

The lazy people are the people who don't go to enough effort to install secure software.

FP.

Re:Security flaw?

[tpgp]

I'm probably just very very dense, but ... out of the description, how is that a security hole?

Basically - you don't want someone to be able to send you javascript that will execute when you read a message. It can allow the attacker far to much leeway (within the confines of your browser)

Here's an (old) example that affected Microsoft's hotmail service that gives you an idea of why you don't want want javascript sent to you to execute.

Less seriously - it makes it trivial for spammer to verify that someone is opening their spam.

I thought teenagers. . .

[smooth+wombat]

were good at finding holes to exploit. Any hole.

Er, wait. Scratch that. I'm thinking of something else.

Re:Just one flaw

[Bogtha]

it's not like there's a risk of taking down the system with this single bug

If you can get somebody to execute Javascript of your choosing in the security context of the gmail.com domain, then you can fairly easily write a worm that reproduces by emailing itself to everybody in your contacts list. A worm like that does stand a chance of bringing down the system.

So the attention grabber headline is...

[geobeck]

Teenage Computer Geek Finds Hole

Girlfriend says "Finally!"

Re:So the attention grabber headline is...

I thought that went more along the lines of..

Teenage Computer Geek Finds Hole

Girlfriend says "Not that hole! Pull it out! Pull it out!!"

Re:So the attention grabber headline is...

[geobeck]

*sigh*... All of the thoughtful, serious replies I've given to /. topics, and my first +5 comes from a crack like this.

(No pun intended.)

Re:So the attention grabber headline is...

[Kirth+Gersen]

In my experience, girls don't say that. They usually say:

"Are you in yet?"

Re:Outdated

[ObsessiveMathsFreak]

So the fact that they ignored a security hole for two years and then botched the fix is unimportant, because it's fixed now?

Yeah! Yeah! Because... because Google are different OK?! They do NO EVIL! I mean "Don't be Evil", I mean, not like M$, I mean..... ....STOP DISSING GOOGLE!!!! They're cool and happy and good AJAX coders!!!!!! Better than others!!! They CAN'T Screw up!!!!!!!!!! This is a lie!!! WAS a lie!!! No Wait!!! AAAAAAAAHHHHHHH!!!!!

Email is probably the wrong tool for this task

[WebCowboy]

Gmail blocks outbound attachments with exe files, even when those files are included inside zip files.

Google is RIGHT in doing such filtering, although perhaps they should make it clear to users up front on its filtering policies rather than waiting for them to discover it for themselves. Besides, even if outbound executable attachments are blocked how many corporate systems permit them inbound? My employer blocks inbound executables unless you're in certain departments, and the majority of our clients do as well. These systems are getting very smart too--they analyse the actual content of the file rather than the extension and even if you rename your .exe to .abc, ZIP it and rename the .zip extension .xyz our system will check the header content of the files' data and determine it is a ZIP, then extract the files inside to examine THEM if that is how you configure it.

The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such files (that is what I do anyways).

There are some cases where email is the most convenient, such as for non-executable documents (I avoid sending .docs since I consider then "executable"--I send PDFs instead), smaller files and so on. For dealing with more novice users I send an email with the link to the file to click, and for getting files from them I set up a simple HTTPS "gateway" with a file submission form. Just as simple as attachments (for the client anyways) and more secure.

I don't think GMail and other mail systems need to be "fixed"...I think that people have to get out of the mindset of using email to exchange files. Use secure FTP or even HTTPS...or even better for big files use Bittorrent. It annoys me when people complain about limits on email attachments just like it annoys me when people use Excel to create "databases". At least learn to use MS Access dammit...it isn't THAT hard!

Re:Email is probably the wrong tool for this task

[RedWizzard]

The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such files (that is what I do anyways).

What do you think the point of attachments is? Email is designed for small file transfer. And it's the most convienient way to do peer to peer file transfer we have. FTP requires a server so it is fine as a central repository, but it is not good adhoc transfers between people.

Elements of Un-Style

[Icephreak1]

The kid's code might be deadly, but after reading his blog, I notice he can barely formulate a coherent English sentence.

- P

Stop The Presses!!!

[johnkoer]

There is a bug in a piece of beta software??? That is unheard of.

if you take the story at face value,

[museumpeace]

it certainly underscores a strength of web based applications: It was looking like a bug one morning but by afternoon, only fixed versions of the code were to be found. Centralized reloading of gmail's servers means everybody got the fix at the same time more or less. What would the time line of such a security hole be if it occured in Outlook? Eudora?

Re:-- oh and that they read Digg... :-)

[hamoe]

Yes. Certainly more mature posters, at least when I don't read at -1.

Re:-- oh and that they read Digg... :-)

[rm69990]

The quality of some of the submitted stories on Digg is absolutely pathetic. And 99% of the comments are one liners written by complete morons. So yes, Slashdot has better stuff. When reading the news, I care about quality over quantity and speed.

Some examples from the front page of Digg.com:

--"Women will get sterile just looking at you", Star Wars fans uncool??

A man was so bold as to blog that being a hard core Star Wars fan is social suicide. He backed up his statement with some hilarious convention pics and captions.

--Hidden task killer in Windows XP!

Most people probably know that Windows XP comes with a darn useful task killer. Lets you kill anything automatically!

--Zombie MMO???

A buddy of mine just forwarded me this link. Turns out the name mean lifeless in Latin. Does anyone know anything about this? I'm a HUGE Zombie and HUGE MMO fan!!!

--EA's Exclusive Contract With The NFL May Be Voided!

If the dispute between the NFLPA and the NFL continues then anti-trust rules will apply. If this happens then EA's contract is null and void!

--LEGO brick USB drive

The perfect USB drive. Why doesn't LEGO sell these?

So what is Digg? A news site, or a place for geeks to dump their filth? Sorry, I don't go out of my way online to read garbage, and that includes teasers written by retards. And I'm not even going to bother replicating some of the comments here.

Do you get this Gmail error.

[earthstar]

This is one Gmail bug I see of late... I get mails with lots of pics in it forwarded by friends to my gmail account without a problem.However when I forward it to any other email address [ including to my own Gmail address] , only the text appears & the pics dont (only rectangles with 'X' appear]. I have been having this problem for the last 1 week or so only. has any one of you come across such a problem too?