Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Vulnerability May Expose User Information

Posted by Zonk on from the that's-not-so-good dept.

An anonymous reader writes "A cross-site scripting vulnerability may mean bad news for Gmail users. The ethical hacking group GNUCitizen has developed a proof-of-concept program that deftly steals contact information and emails from the popular web-based mail service. At the moment there are no 'wild' exploits for this vulnerability. The article discusses how lax security makes holes like this a problem for corporate IT houses as well as Google. '"People do use private accounts to store work information," IBRS security analyst James Turner said. "I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal. "In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included."'" This, just a few days after a search-based exploit was discovered.

11 of 94 comments (clear)

  1. Re:Javascript needs a sandbox/security model by Bluesman · · Score: 4, Informative

    Javascript does have a sandbox security model based on the domain name of the javsacript/html source.

    Displaying the html mail in its own internal frame that pulls from a different domain name than the rest of the application should solve the problem you're referring to. Something like mail.googlecontent.com would work nicely.

    --
    If moderation could change anything, it would be illegal.
  2. Another reason to use NoScript by GroundBounce · · Score: 3, Informative

    If this is really a cross-site scripting vulnerability, NoScript might help protect against it (if you're using FireFox).

    1. Re:Another reason to use NoScript by IonOtter · · Score: 2, Informative

      I'll second and confirm this.

      I've had NoScript on my machine for almost a year now, and it's been getting better and better every month, especially now that they've included NoXSS. I've seen the XSS warning mostly on "news" sites, such as FoxNews, CNN and various big-name newspapers, and every time I saw it, NoScript had nixed it.

      I've seen the XSS warning in Gmail three times in all, always when clicking on a spam email, and each time it was stopped cold. I didn't dig too deep into it, but not long afterwards there were blurbs on the net about people getting PWN3D by an XSS-enabled email that their anti-virus software had cleared.

      Thanks to NoScript, I wasn't one of them.

      --
      [End Of Line]
  3. A good reason to use NoScript and Firefox by Lazarus_Bitmap · · Score: 2, Informative

    NoScript should prevent this exploit. It can be annoying to have to constantly give permission to sites to allow scripting, but it beats being hacked.

    I'm also wondering if running Gmail over SSL would make any difference...

    --
    -Laz .:change is inevitable -- growth is optional:.
  4. httponly by Spy+der+Mann · · Score: 4, Informative

    In fact, the "cookie grabbing technique" is one of the oldest tricks in the areas of XSS.
    ... and this is the reason why the "httponly" cookie extension was created. Firefox 3 will support it, and I already modified my PHP framework to use this for the session cookies.
  5. Re:Of course by ShatteredArm · · Score: 3, Informative

    Google does offer services to large organizations whereby they can use gmail and still use their own domain. Just a few years ago, my university ditched its in-house email servers in a "partnership" with gmail, and gmail became the mail service for the entire university. They said it would save all kinds of money on maintenance, and they were probably right.

    So I guess my point is, even if they have the professional-looking email, it doesn't mean they're not using gmail. ;)

  6. Re:Yet another "we hate Gmail article"? by Niten · · Score: 2, Informative

    From a technical perspective, cross-site scripting (XSS) vulnerabilities isn't exactly a new thing. Nor are they isolated to Gmail.

    From what I gather about this exploit (and contrary to what the CNET article has to say about it) this is actually a cross-site reference forgery (CSRF) attack rather than XSS. The attack takes advantage of the fact that a malicious Web site's clients may have persistent GMail cookies in their web browsers: The attacking site directs the victim's web browser, (possibly, but not necessarily) using JavaScript, to make a POST request to GMail which creates a mail filter to copy all messages to an email address under the attacker's control. No JavaScript needs to be injected into GMail itself, so I don't really think it counts as XSS; in fact, the attacker never sees the actual session cookie or recovers the account password. Still, this is a huge threat, especially considering that so many people have their (Facebook|MySpace|AIM|whatever) accounts set up to send their password to their GMail accounts in case the password is "forgotten".

    If this is how the attack works, then Firefox's NoScript extension should protect you as long as you don't have the attacking web site whitelisted, even if the CSRF POST vector isn't JavaScript based.

    You're absolutely correct in stating that this isn't strictly a GMail problem, but rather a fundamental problem with using the Web as an application platform. In fact, I'd argue that CSRF attacks are an even more deeply rooted and difficult to deal with problem than any type of XSS. My friends might think I'm outdated, but this is why I still use fetchmail and mutt to grab my GMail messages by POP, staying logged out of the GMail web site as much as possible.

  7. Re:Avoidable? by PlusFiveTroll · · Score: 2, Informative

    No. The cookies are stolen upon transfer. You need to transfer your login data and save a cookie to receive the subsequent responses (viewing more then one message).

  8. Much More Informative Article Here by Giorgio+Maone · · Score: 5, Informative

    It explains how the exploit works, how developers would/should avoid it and how users could protect themselves: http://hackademix.net/2007/09/26/gmail_csrf/

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript
  9. That is inane. by jotaeleemeese · · Score: 2, Informative

    If you are not encrypting your email you are as exposed as your grandpa, so your recommendation is based in wishful thinking and not in actual hard technical facts.

    email is not a secure mechanism to transmit information, unless it is encrypted. End of the history.

    And as in regard to all those valuable contracts and what have you, I would like to inform you that email is not a guaranteed delivery mechanism, it works in a "best effort" to deliver basis. So I will not be sending any urgent information by email any time soon.

    --
    IANAL but write like a drunk one.
  10. A link to the ACTUAL article - and some FACTS! by Monkier · · Score: 3, Informative
    Google GMail E-mail Hijack Technique

    Some interesting points

    • nothing to do with cookies - it is google not correctly validating a form submitted from an 'evil' website
    • nothing to do with XSS - the ARTICLE calls it "Cross-site request forgery".