Slashdot Mirror
Gmail Vulnerability May Expose User Information
An anonymous reader writes "A cross-site scripting vulnerability may mean bad news for Gmail users. The ethical hacking group GNUCitizen has developed a proof-of-concept program that deftly steals contact information and emails from the popular web-based mail service. At the moment there are no 'wild' exploits for this vulnerability. The article discusses how lax security makes holes like this a problem for corporate IT houses as well as Google. '"People do use private accounts to store work information," IBRS security analyst James Turner said. "I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal. "In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included."'" This, just a few days after a search-based exploit was discovered.
People wonder why I recommend getting a private email account. Sure we could have the same issues, but the core webmail software we use is almost a decade old, and I gather that it has had more users then GMail currently has.
In short: ditch the free and go with a service provider that provides service. GMail is ok for your Grandpa, but do you really want those million-dollar business contracts and project bids on it?
Website Hosting
I'll second the comment that this shouldn't suprise anyone. Where I work there are laws which require proper security, but in most other places I've been gmail was used widely. This is because 1. Gmail was more reliable than the 'official' email system 2. The search feature in gmail was way faster and smarter than the 'official' email system (e.g. outlook; squirrelmail) 3. The 'keep everything/multiple tags' model of gmail was less onerous than the maintenance the company expected (e.g.: keep your mailbox under a certain size; manually roate things to local storage; sort things by some directory system you'll probably be confused by when you look at it a year later...) What I'd like to see is more people using those intranet-sized google search and email servers I hear about. I hate my company's crappy intranet search engine, and the only thing good about outlook is its meeting-scheduling system. Using google technology, but on a company-controlled server, would seem the best of both worlds. But... I'm not an IT person. Maybe this would be horrible.
Google is the new Microsoft, more interested in profit than anything else (security, privacy, user rights)
This is a XSS browser exploit, which basically means that one site you're visiting can talk to other sites you're logged into. It's not Google's fault; nothing is breaking in to their servers, it's just malicious code running on your computer hijacking the connection you made to Google. It's your browser's fault for not sandboxing sites properly.
Or to use an real-world analogy, it's like blaming Google because you forgot to log out at an internet cafe and then somebody else sat down and read your email.
How can I believe you when you tell me what I don't want to hear?
You dont need to use cross site scripting, it sends the user's entire email list, telephone numbers, alt emails, etc right after login for the googletalk applet. Run a packet dump, they turn off the encryption and then send all of the private data (negating userid/password). I sent in two support tickets on this in January but only received the generic autoreplies. To keep up with security news find a local hacker group.