Slashdot Mirror

← Back to Stories (view on slashdot.org)

Teenage Blogger Finds Gmail Hole

Posted by ryuzaki0 on from the not-what-i-was-doing-at-14 dept.

cpm80 wrote to mention the news that a 14 year old blogger has identified a security hole in the Gmail webmail service. From the Network World article: "He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane, he wrote. But if the code is mailed from one Gmail account to another, it is filtered out, he said. Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed."

7 of 268 comments (clear)

  1. So the story is? by Osrin · · Score: 5, Funny

    Something happened, he is not sure what, and now nobody can replicate it.

    Stuff that matters huh?

  2. Fixed by hetairoi · · Score: 4, Informative

    SANS Internet Storm Center says it's fixed. Seems pretty silly.

    --
    you're all figments of my deranged imagination
  3. Not surprising by Bogtha · · Score: 3, Interesting

    Google have shown repeatedly that they don't understand how to deal with Javascript securely. Example.

    --
    Bogtha Bogtha Bogtha
  4. I thought teenagers. . . by smooth+wombat · · Score: 5, Funny

    were good at finding holes to exploit. Any hole.

    Er, wait. Scratch that. I'm thinking of something else.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  5. So the attention grabber headline is... by geobeck · · Score: 5, Funny

    Teenage Computer Geek Finds Hole

    Girlfriend says "Finally!"

    --
    Find environmentally and socially responsible products on http://buy-right.net
  6. Re:Outdated by ObsessiveMathsFreak · · Score: 3, Funny

    So the fact that they ignored a security hole for two years and then botched the fix is unimportant, because it's fixed now?

    Yeah! Yeah! Because... because Google are different OK?! They do NO EVIL! I mean "Don't be Evil", I mean, not like M$, I mean..... ....STOP DISSING GOOGLE!!!! They're cool and happy and good AJAX coders!!!!!! Better than others!!! They CAN'T Screw up!!!!!!!!!! This is a lie!!! WAS a lie!!! No Wait!!! AAAAAAAAHHHHHHH!!!!!

    --
    May the Maths Be with you!
  7. Email is probably the wrong tool for this task by WebCowboy · · Score: 3, Interesting

    Gmail blocks outbound attachments with exe files, even when those files are included inside zip files.

    Google is RIGHT in doing such filtering, although perhaps they should make it clear to users up front on its filtering policies rather than waiting for them to discover it for themselves. Besides, even if outbound executable attachments are blocked how many corporate systems permit them inbound? My employer blocks inbound executables unless you're in certain departments, and the majority of our clients do as well. These systems are getting very smart too--they analyse the actual content of the file rather than the extension and even if you rename your .exe to .abc, ZIP it and rename the .zip extension .xyz our system will check the header content of the files' data and determine it is a ZIP, then extract the files inside to examine THEM if that is how you configure it.

    The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such files (that is what I do anyways).

    There are some cases where email is the most convenient, such as for non-executable documents (I avoid sending .docs since I consider then "executable"--I send PDFs instead), smaller files and so on. For dealing with more novice users I send an email with the link to the file to click, and for getting files from them I set up a simple HTTPS "gateway" with a file submission form. Just as simple as attachments (for the client anyways) and more secure.

    I don't think GMail and other mail systems need to be "fixed"...I think that people have to get out of the mindset of using email to exchange files. Use secure FTP or even HTTPS...or even better for big files use Bittorrent. It annoys me when people complain about limits on email attachments just like it annoys me when people use Excel to create "databases". At least learn to use MS Access dammit...it isn't THAT hard!