Slashdot Mirror
Gmail Vulnerability May Expose User Information
An anonymous reader writes "A cross-site scripting vulnerability may mean bad news for Gmail users. The ethical hacking group GNUCitizen has developed a proof-of-concept program that deftly steals contact information and emails from the popular web-based mail service. At the moment there are no 'wild' exploits for this vulnerability. The article discusses how lax security makes holes like this a problem for corporate IT houses as well as Google. '"People do use private accounts to store work information," IBRS security analyst James Turner said. "I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal. "In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included."'" This, just a few days after a search-based exploit was discovered.
With ROT 26
So who didn't see this thing comming?
Online apps are only going to get more and more popular. Webmail is like the gateway drug of internet apps. It starts off innocently enough. Going from an in house email system that is only intranet. Then you need to give employees the ability to send outside email, no problem, but your servers can still filter out attachments both ways and give the company a security and intellectual property barrier. Then the online apps start looking appealing, no maintenance, no servers, just internet access. A lot of cost savings for the company. What could go wrong? Then Microsoft and the other big players start talking about making Office an online application and hyping the benifits of such a new age system. The benifits are described in beautiful powerpoint presentations to the execs and the IT departments warnings are just plain text. What's going to happen to the companies that fall for this new online paradigm? I think more of the same. Information leaks, database vulnerabilities, simple password guessing, general hacks, etc. And all the information accessed through these new online applications is going to be out there for the taking. Ease of use and availability on a new level, to the hackers.
) Human Kind Vs Human Creation
) It'd be interesting to see how many humans would survive to serve us.
People wonder why I recommend getting a private email account. Sure we could have the same issues, but the core webmail software we use is almost a decade old, and I gather that it has had more users then GMail currently has.
In short: ditch the free and go with a service provider that provides service. GMail is ok for your Grandpa, but do you really want those million-dollar business contracts and project bids on it?
Website Hosting
Those who believe the Internet is private,
find their privates are on the Internet.
Why is it that we always see these exploits with GMail? I can't even remember the last time a Yahoo Mail or Hotmail, etc. exploit came out. There about equally popular among the public.
With all respect, why continue this crusade against Google/Gmail?
... a tiny bit one-sided. Not only is that unfair for Google (I am not a stockholder, so I will survive) but it also takes away the focus from the real issue: XSS is a big deal, and has do be dealt with. By everybody ... not just by Google.
:-)
Sure, they are a key player in the market, but so is Yahoo, Hotmail, and a number of others.
From a technical perspective, cross-site scripting (XSS) vulnerabilities isn't exactly a new thing. Nor are they isolated to Gmail.
The article is not wrong - so I am not attempting to protect Google. On the other hand, this problem is fairly general in nature, and probably applicable to a ton of websites. In fact, the "cookie grabbing technique" is one of the oldest tricks in the areas of XSS.
With this in mind, the article (and in general the constant rampage against Google) seems
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
Javascript does have a sandbox security model based on the domain name of the javsacript/html source.
Displaying the html mail in its own internal frame that pulls from a different domain name than the rest of the application should solve the problem you're referring to. Something like mail.googlecontent.com would work nicely.
If moderation could change anything, it would be illegal.
If this is really a cross-site scripting vulnerability, NoScript might help protect against it (if you're using FireFox).
Because some of us don't spend the $5-$10 to go out to lunch ( I pack a lunch, saves money, healthier, etc), and prefer to spend our lunch hour checking the news online? Sure, during business hours while working that makes sense, maybe, but during my breaks and lunch (both of which I'm free to take when I want) I like to go online and do stuff. So that becomes problematic. Honestly the solution is education. Having good enough resources on the local network so that your users don't have to use gmail or a ftp site is key, and making sure they know how to use them.
:)
You can say tough shit, and I'd agree, employer has that right. But then I'd counter by saying I'd probably be keeping an eye open for a new employer
I'll second the comment that this shouldn't suprise anyone. Where I work there are laws which require proper security, but in most other places I've been gmail was used widely. This is because 1. Gmail was more reliable than the 'official' email system 2. The search feature in gmail was way faster and smarter than the 'official' email system (e.g. outlook; squirrelmail) 3. The 'keep everything/multiple tags' model of gmail was less onerous than the maintenance the company expected (e.g.: keep your mailbox under a certain size; manually roate things to local storage; sort things by some directory system you'll probably be confused by when you look at it a year later...) What I'd like to see is more people using those intranet-sized google search and email servers I hear about. I hate my company's crappy intranet search engine, and the only thing good about outlook is its meeting-scheduling system. Using google technology, but on a company-controlled server, would seem the best of both worlds. But... I'm not an IT person. Maybe this would be horrible.
Google is the new Microsoft, more interested in profit than anything else (security, privacy, user rights)
This is a XSS browser exploit, which basically means that one site you're visiting can talk to other sites you're logged into. It's not Google's fault; nothing is breaking in to their servers, it's just malicious code running on your computer hijacking the connection you made to Google. It's your browser's fault for not sandboxing sites properly.
Or to use an real-world analogy, it's like blaming Google because you forgot to log out at an internet cafe and then somebody else sat down and read your email.
How can I believe you when you tell me what I don't want to hear?
You dont need to use cross site scripting, it sends the user's entire email list, telephone numbers, alt emails, etc right after login for the googletalk applet. Run a packet dump, they turn off the encryption and then send all of the private data (negating userid/password). I sent in two support tickets on this in January but only received the generic autoreplies. To keep up with security news find a local hacker group.
It explains how the exploit works, how developers would/should avoid it and how users could protect themselves: http://hackademix.net/2007/09/26/gmail_csrf/
There's a browser safer than Firefox, it is Firefox, with NoScript
Some interesting points