Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Vulnerability May Expose User Information

Posted by Zonk on from the that's-not-so-good dept.

An anonymous reader writes "A cross-site scripting vulnerability may mean bad news for Gmail users. The ethical hacking group GNUCitizen has developed a proof-of-concept program that deftly steals contact information and emails from the popular web-based mail service. At the moment there are no 'wild' exploits for this vulnerability. The article discusses how lax security makes holes like this a problem for corporate IT houses as well as Google. '"People do use private accounts to store work information," IBRS security analyst James Turner said. "I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal. "In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included."'" This, just a few days after a search-based exploit was discovered.

6 of 94 comments (clear)

  1. Of course by teknopurge · · Score: 3, Interesting

    People wonder why I recommend getting a private email account. Sure we could have the same issues, but the core webmail software we use is almost a decade old, and I gather that it has had more users then GMail currently has.

    In short: ditch the free and go with a service provider that provides service. GMail is ok for your Grandpa, but do you really want those million-dollar business contracts and project bids on it?

    --
    Website Hosting
  2. Javascript needs a sandbox/security model by MobyDisk · · Score: 2, Interesting

    I can open HTML email in a standalone application (Thunderbird, Eudora, whatever) with very little concern about someone getting my login information. That's because there is an implicit barrier between the application state and the HTML page. But it is more difficult with web-based email: If you display HTML messages, then they are being displayed on the same page that has access to your login credentials.

    It seems to me that the most foolproof solution is to display the HTML email inside a sandbox that does not have access to the cookies (or any other part) of the enclosing page. There may be some way(s) to do this with browsers as they are today, but it seems like ultimately, such a sandbox should be designed-in to HTML and/or Javascript. Something like a chroot command.

    This would eliminate the constant cat & mouse game of scrubbing the HTML for something dangerous, then a new HTML/browser feature being used to get around it, etc.

  3. Insecure by Default by Anonymous Coward · · Score: 2, Interesting

    Ummm - isn't this what /. always says about Microsoft?

    Trusting Google with you data is like playing Russian Roulette with an Automatic pistol, bad things will happen to your data

    Google says it is so easy to keep all your information online - and it is - where they can search it

    Google is the new Microsoft, more interested in profit than anything else (security, privacy, user rights)

    But hey, they use Linux, so I guess it is ok

    1. Re:Insecure by Default by pushing-robot · · Score: 5, Interesting

      Google is the new Microsoft, more interested in profit than anything else (security, privacy, user rights)

      This is a XSS browser exploit, which basically means that one site you're visiting can talk to other sites you're logged into. It's not Google's fault; nothing is breaking in to their servers, it's just malicious code running on your computer hijacking the connection you made to Google. It's your browser's fault for not sandboxing sites properly.

      Or to use an real-world analogy, it's like blaming Google because you forgot to log out at an internet cafe and then somebody else sat down and read your email.

      --
      How can I believe you when you tell me what I don't want to hear?
  4. Because gmail is better by quintessentialk · · Score: 3, Interesting

    I'll second the comment that this shouldn't suprise anyone. Where I work there are laws which require proper security, but in most other places I've been gmail was used widely. This is because 1. Gmail was more reliable than the 'official' email system 2. The search feature in gmail was way faster and smarter than the 'official' email system (e.g. outlook; squirrelmail) 3. The 'keep everything/multiple tags' model of gmail was less onerous than the maintenance the company expected (e.g.: keep your mailbox under a certain size; manually roate things to local storage; sort things by some directory system you'll probably be confused by when you look at it a year later...) What I'd like to see is more people using those intranet-sized google search and email servers I hear about. I hate my company's crappy intranet search engine, and the only thing good about outlook is its meeting-scheduling system. Using google technology, but on a company-controlled server, would seem the best of both worlds. But... I'm not an IT person. Maybe this would be horrible.

  5. Not XSS by requeth · · Score: 3, Interesting

    You dont need to use cross site scripting, it sends the user's entire email list, telephone numbers, alt emails, etc right after login for the googletalk applet. Run a packet dump, they turn off the encryption and then send all of the private data (negating userid/password). I sent in two support tickets on this in January but only received the generic autoreplies. To keep up with security news find a local hacker group.