Slashdot Mirror
Gmail Vulnerability May Expose User Information
An anonymous reader writes "A cross-site scripting vulnerability may mean bad news for Gmail users. The ethical hacking group GNUCitizen has developed a proof-of-concept program that deftly steals contact information and emails from the popular web-based mail service. At the moment there are no 'wild' exploits for this vulnerability. The article discusses how lax security makes holes like this a problem for corporate IT houses as well as Google. '"People do use private accounts to store work information," IBRS security analyst James Turner said. "I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal. "In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included."'" This, just a few days after a search-based exploit was discovered.
With ROT 26
we all view pr0n right? right? those malicious websites ;-)
we all love to use every day.
i know i check my gmail account when viewing fabulous pr0n.
fair exchange really. they get my viagra spam and i get pretty pictures
and movies.
tounge in cheek. interesting how cross site scripting attacks are finally
becoming big news after how many years and years of warnings.
So who didn't see this thing comming?
Online apps are only going to get more and more popular. Webmail is like the gateway drug of internet apps. It starts off innocently enough. Going from an in house email system that is only intranet. Then you need to give employees the ability to send outside email, no problem, but your servers can still filter out attachments both ways and give the company a security and intellectual property barrier. Then the online apps start looking appealing, no maintenance, no servers, just internet access. A lot of cost savings for the company. What could go wrong? Then Microsoft and the other big players start talking about making Office an online application and hyping the benifits of such a new age system. The benifits are described in beautiful powerpoint presentations to the execs and the IT departments warnings are just plain text. What's going to happen to the companies that fall for this new online paradigm? I think more of the same. Information leaks, database vulnerabilities, simple password guessing, general hacks, etc. And all the information accessed through these new online applications is going to be out there for the taking. Ease of use and availability on a new level, to the hackers.
) Human Kind Vs Human Creation
) It'd be interesting to see how many humans would survive to serve us.
People wonder why I recommend getting a private email account. Sure we could have the same issues, but the core webmail software we use is almost a decade old, and I gather that it has had more users then GMail currently has.
In short: ditch the free and go with a service provider that provides service. GMail is ok for your Grandpa, but do you really want those million-dollar business contracts and project bids on it?
Website Hosting
We talk about shutting down any unnecessary services and closing ports down by default in operating systems and firewalls. Why wouldn't one want to do the same with Web browsing? Lock down (or lock out) anything that can cause harm to corporate systems, and then open up things only as required. Not only does it improve productivity, it also improves security at the same time...
Those who believe the Internet is private,
find their privates are on the Internet.
well that sucks - gmail is the best free email service by far, offering real forwarding and POP/SMTP access, you can use it for anything come to think of it all my info is fake on my gmail accounts so who cares
Mo
Why is it that we always see these exploits with GMail? I can't even remember the last time a Yahoo Mail or Hotmail, etc. exploit came out. There about equally popular among the public.
With all respect, why continue this crusade against Google/Gmail?
... a tiny bit one-sided. Not only is that unfair for Google (I am not a stockholder, so I will survive) but it also takes away the focus from the real issue: XSS is a big deal, and has do be dealt with. By everybody ... not just by Google.
:-)
Sure, they are a key player in the market, but so is Yahoo, Hotmail, and a number of others.
From a technical perspective, cross-site scripting (XSS) vulnerabilities isn't exactly a new thing. Nor are they isolated to Gmail.
The article is not wrong - so I am not attempting to protect Google. On the other hand, this problem is fairly general in nature, and probably applicable to a ton of websites. In fact, the "cookie grabbing technique" is one of the oldest tricks in the areas of XSS.
With this in mind, the article (and in general the constant rampage against Google) seems
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
I can open HTML email in a standalone application (Thunderbird, Eudora, whatever) with very little concern about someone getting my login information. That's because there is an implicit barrier between the application state and the HTML page. But it is more difficult with web-based email: If you display HTML messages, then they are being displayed on the same page that has access to your login credentials.
It seems to me that the most foolproof solution is to display the HTML email inside a sandbox that does not have access to the cookies (or any other part) of the enclosing page. There may be some way(s) to do this with browsers as they are today, but it seems like ultimately, such a sandbox should be designed-in to HTML and/or Javascript. Something like a chroot command.
This would eliminate the constant cat & mouse game of scrubbing the HTML for something dangerous, then a new HTML/browser feature being used to get around it, etc.
Ummm - isn't this what /. always says about Microsoft?
Trusting Google with you data is like playing Russian Roulette with an Automatic pistol, bad things will happen to your data
Google says it is so easy to keep all your information online - and it is - where they can search it
Google is the new Microsoft, more interested in profit than anything else (security, privacy, user rights)
But hey, they use Linux, so I guess it is ok
If this is really a cross-site scripting vulnerability, NoScript might help protect against it (if you're using FireFox).
NoScript should prevent this exploit. It can be annoying to have to constantly give permission to sites to allow scripting, but it beats being hacked.
I'm also wondering if running Gmail over SSL would make any difference...
-Laz
Because some of us don't spend the $5-$10 to go out to lunch ( I pack a lunch, saves money, healthier, etc), and prefer to spend our lunch hour checking the news online? Sure, during business hours while working that makes sense, maybe, but during my breaks and lunch (both of which I'm free to take when I want) I like to go online and do stuff. So that becomes problematic. Honestly the solution is education. Having good enough resources on the local network so that your users don't have to use gmail or a ftp site is key, and making sure they know how to use them.
:)
You can say tough shit, and I'd agree, employer has that right. But then I'd counter by saying I'd probably be keeping an eye open for a new employer
All hail the mighty Google empire, which brings teh Lunix-based FOSSie security goodness to all of us, and seeks to slay teh 3vil M$$$$ empire!!!1!
TFA (Yes, I'm new here...) says that it takes over the cookie to allow the attacker access to the GMail box for two years.
But what if you tell both the browser and GMail not to remember your password? I make that a policy with most web sites I use, mostly to protect me if someone steals my laptop -- no password bypass mechanisms allowed, no passwords stored in clear text allowed.
Does that make you safe against this attack also?
2*3*3*3*3*11*251
Luckily for me, I only use GMails webmail interface for my mailing lists, which any and all attackers are free to have. My personal account comes via encrypted POP. Thanks to Gmail for that option.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
I'll second the comment that this shouldn't suprise anyone. Where I work there are laws which require proper security, but in most other places I've been gmail was used widely. This is because 1. Gmail was more reliable than the 'official' email system 2. The search feature in gmail was way faster and smarter than the 'official' email system (e.g. outlook; squirrelmail) 3. The 'keep everything/multiple tags' model of gmail was less onerous than the maintenance the company expected (e.g.: keep your mailbox under a certain size; manually roate things to local storage; sort things by some directory system you'll probably be confused by when you look at it a year later...) What I'd like to see is more people using those intranet-sized google search and email servers I hear about. I hate my company's crappy intranet search engine, and the only thing good about outlook is its meeting-scheduling system. Using google technology, but on a company-controlled server, would seem the best of both worlds. But... I'm not an IT person. Maybe this would be horrible.
I think the optimal solution would be a client which does not run scripts *AT ALL*. i.e. to read your mail, you need to d/l this software. But that defeats the purpose of having WEB mail accounts, doesn't it?
That's the conundrum.
Perhaps a solution would be to alter the HTML spec, in that you could include a specific file (a-la XMLHTTPRequest) and render it as html, but disabling all scripting inside that piece of html.
Or can it be done with existing technologies?
You bring up excellent points, which is why I'm considering abandoning my Gmail account. But I have yet to find an alternative mail provider with as much storage space, features, and accessibility as Gmail. I suppose I could host my own mail server, but I have *no* clue how to do that.
ROT 52 is twice as good.
Anyone not using and requiring at the very least PGP for their GMail box? Or getting "private" mails to it (or sending from it)?
When you look at my GMail boxes, you'd probably get a very strange picture of me...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The leading edge of generation Y are just starting to graduate from college. The demographic the summary refers to is probably the last half of Gen-X (the youngest of which are in their mid-20s). If anything, it is the Gen-Xers that have a more naive/trusting mentality toward IT and the web overall. We grew up with an Internet that had relatively scarce criminal activity.
Anyway... If you want to avoid browser vulnerabilities with GMail, simply use their free POP3 access (make sure SSL is enabled).
never used it, never send the email address to ANYONE from there, but every day, there's spam in there.
I'd say, "Yeah there's a security hole in there..."
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
the "problem" of only being able to be logged into one Gmail account at at time [and all the googledocs and blogging features bound to the google identity cookie] becomes a lame and slight advantage: Give yourself a junk google Identity...that is easy these days since no priming based on a prior email acct is needed. Do your business with trusted sites using your "good" identity...the one with 8000 emails containing your life story and your companies proprietary info. For general surfing [you don't do both goofing off and quality connecting in the same session, get it?] you log into your junk identity. It should be the last identity used if you tend not to scrub the cache/history/cookies when you close a browser. There is no such thing as a "trusted" PC or workstation...get over it.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Like most people I have a webmail account, but I use it for "junk" like website sign-ups, so if something messes up, I don't lose valuable data. Domain names and hosting is so cheap these days, you could use your own address for important emails, or your own ISP's account.
I never have understood the fascination people have with webmail, same sort of thing using a website to access Usenet and calling it proper Usenet - which it isn't.
Take Nobody's Word For It.
(I'm just sayin'...)
-Clio
Karma: Bad (mostly from not giving a fuck)
Blog: http://clintjcl.wordpress.com
"This, just a few days after the discovery of a search-based exploit was discovered."
Woo-hoo, meta-discovery! Oh wait - no, it's just Zonk screwing up.
Spreading FUD about Google is something that MS is highly motivated to do. Spreading FUD about Yahoo! or MS's own Hotmail system is not.
That said, I'm not sure you're correct. I seem to recall a Yahoo! Mail exploit being publicized fairly recently. As for Hotmail, I'm not sure, but I suspect that it's a generic enough system that any exploits found are interesting as generic exploits more than as Hotmail-specific.
You dont need to use cross site scripting, it sends the user's entire email list, telephone numbers, alt emails, etc right after login for the googletalk applet. Run a packet dump, they turn off the encryption and then send all of the private data (negating userid/password). I sent in two support tickets on this in January but only received the generic autoreplies. To keep up with security news find a local hacker group.
It explains how the exploit works, how developers would/should avoid it and how users could protect themselves: http://hackademix.net/2007/09/26/gmail_csrf/
There's a browser safer than Firefox, it is Firefox, with NoScript
Just a counter-point.
Those who believe the Internet is private,
find their privates are on the Internet.
Many web hosters offer accounts that also come with IM, email, and various web-based programs to do other things. Often these accounts cost very little money and give you gigabytes more space than GMail (and that space can be used for more than just email without resorting to clever hacks to make your email space usable in other ways). Look at who's hosting some of the sites people point to on /. and you'll get some good leads.
Digital Citizen
If you are not encrypting your email you are as exposed as your grandpa, so your recommendation is based in wishful thinking and not in actual hard technical facts.
email is not a secure mechanism to transmit information, unless it is encrypted. End of the history.
And as in regard to all those valuable contracts and what have you, I would like to inform you that email is not a guaranteed delivery mechanism, it works in a "best effort" to deliver basis. So I will not be sending any urgent information by email any time soon.
IANAL but write like a drunk one.
The sense of entitlement that some people show around here is staggering.
You may want to go online on your office computer. Well I am even pickier, I want blonde masseuses at my disposal for my lunch break, as well as the massages provided in rooms with plasma TVs and free drinks.
The sky is the limit to what employees think they should be entitled to do with company's resources....
IANAL but write like a drunk one.
Whenever I want to store something securely on Gmail (e.g. a text file containing a list of passwords), I encrypt it with 256-bit AES, then include it as an attachment in an email to myself.
The bits on the bus go on and off... on and off... on and off...
Some interesting points
Most of my emails are plain text, with no links in them or very few. On top of this they are all from people or organizations I know, if I don't recognize it I don't open it. If I think its SPAM or suspicious I use the handy "Report Spam" button. TFA even says that disabling java-script solves the security issue and if you use Firefox you can use extensions like no-script (as I believe was mentioned in another post here).
It seems pretty unfair to lay this only on Google's shoulders as XSS has been around for a long time and many web apps are vulnerable to it. Sure, the two year session cookie lifetime is a bit long and it would be better to have a 1 week lifetime or maybe even shorter. Does anyone know if there is a way to force Gmail to create a new session cookie? Does clearing your local cookies do so? If so that is another way to solve the issue. And what about using Gmail over SSL as is allowed by a couple different Firefox extensions?
If this group has informed Google about this then I am sure Google will work on finding a solution, they have a lot of very smart people working for them after all and I am sure that they can find a solution that will address the issue without affecting usability or the user's experience. If nothing else, just say no to HTML email and only click links you trust. Just my two cents. :)
~Petaris "The world is open. Are you?"
Google's high profile webmail service, Gmail, is vulnerable to a security exploit that might allow hackers full access to a user's email account simply by knowing the user name, according to reports.The issues of vulnerability may exposed user information that was posted by Zonk is the current issues that has been identified. as one of the gmail user,i was surprised when i found out this issue because gmail didnt give any notification due to this issue. It is very series problems where a lot of people use the email service as a communication medium. When attacker abuse the user information, one of the common thing that may happpened is fabricated the email, do modifications to email, block it or may evesdropped the message.the increases of technology might be a factors that make this issues arise. Attackers may sole the user account cookies file while they log on to the their gmail account. It also may do spamming and user the user account to steal the user information. they may also do packet sniffing or replay attack in stoling user account.It's make me feel very unsecure to use the gmail user account to send email or message to people.Hope this issue will may find the solutions because there no more privacy in using email account.
when i search about this issue in the internet..i found out 1 website talks about the unsecure gmail account..this security researcher Petko Petrov managed to find out a significant security holes in Gmail..this techniques is similar with cross-site request forgery (also known as CSRF or XSRF..In this particular case, visiting a malicious website while being logged in to GMail will insert a filter into the user's account that forwards all mail to another email address. Although the backdoor can easily be removed by the user, it will not be removed as a result of Google fixing the vulnerability. He shows in his web site "http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/" on how attacker hijacked the message..try to check it out...