Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Vulnerability May Expose User Information

Posted by Zonk on from the that's-not-so-good dept.

An anonymous reader writes "A cross-site scripting vulnerability may mean bad news for Gmail users. The ethical hacking group GNUCitizen has developed a proof-of-concept program that deftly steals contact information and emails from the popular web-based mail service. At the moment there are no 'wild' exploits for this vulnerability. The article discusses how lax security makes holes like this a problem for corporate IT houses as well as Google. '"People do use private accounts to store work information," IBRS security analyst James Turner said. "I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal. "In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included."'" This, just a few days after a search-based exploit was discovered.

6 of 94 comments (clear)

  1. Re:Javascript needs a sandbox/security model by Bluesman · · Score: 4, Informative

    Javascript does have a sandbox security model based on the domain name of the javsacript/html source.

    Displaying the html mail in its own internal frame that pulls from a different domain name than the rest of the application should solve the problem you're referring to. Something like mail.googlecontent.com would work nicely.

    --
    If moderation could change anything, it would be illegal.
  2. Another reason to use NoScript by GroundBounce · · Score: 3, Informative

    If this is really a cross-site scripting vulnerability, NoScript might help protect against it (if you're using FireFox).

  3. httponly by Spy+der+Mann · · Score: 4, Informative

    In fact, the "cookie grabbing technique" is one of the oldest tricks in the areas of XSS.
    ... and this is the reason why the "httponly" cookie extension was created. Firefox 3 will support it, and I already modified my PHP framework to use this for the session cookies.
  4. Re:Of course by ShatteredArm · · Score: 3, Informative

    Google does offer services to large organizations whereby they can use gmail and still use their own domain. Just a few years ago, my university ditched its in-house email servers in a "partnership" with gmail, and gmail became the mail service for the entire university. They said it would save all kinds of money on maintenance, and they were probably right.

    So I guess my point is, even if they have the professional-looking email, it doesn't mean they're not using gmail. ;)

  5. Much More Informative Article Here by Giorgio+Maone · · Score: 5, Informative

    It explains how the exploit works, how developers would/should avoid it and how users could protect themselves: http://hackademix.net/2007/09/26/gmail_csrf/

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript
  6. A link to the ACTUAL article - and some FACTS! by Monkier · · Score: 3, Informative
    Google GMail E-mail Hijack Technique

    Some interesting points

    • nothing to do with cookies - it is google not correctly validating a form submitted from an 'evil' website
    • nothing to do with XSS - the ARTICLE calls it "Cross-site request forgery".