Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail Vulnerability May Expose User Information

Posted by Zonk on from the that's-not-so-good dept.

An anonymous reader writes "A cross-site scripting vulnerability may mean bad news for Gmail users. The ethical hacking group GNUCitizen has developed a proof-of-concept program that deftly steals contact information and emails from the popular web-based mail service. At the moment there are no 'wild' exploits for this vulnerability. The article discusses how lax security makes holes like this a problem for corporate IT houses as well as Google. '"People do use private accounts to store work information," IBRS security analyst James Turner said. "I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal. "In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included."'" This, just a few days after a search-based exploit was discovered.

8 of 94 comments (clear)

  1. Online apps by Romancer · · Score: 5, Insightful

    So who didn't see this thing comming?

    Online apps are only going to get more and more popular. Webmail is like the gateway drug of internet apps. It starts off innocently enough. Going from an in house email system that is only intranet. Then you need to give employees the ability to send outside email, no problem, but your servers can still filter out attachments both ways and give the company a security and intellectual property barrier. Then the online apps start looking appealing, no maintenance, no servers, just internet access. A lot of cost savings for the company. What could go wrong? Then Microsoft and the other big players start talking about making Office an online application and hyping the benifits of such a new age system. The benifits are described in beautiful powerpoint presentations to the execs and the IT departments warnings are just plain text. What's going to happen to the companies that fall for this new online paradigm? I think more of the same. Information leaks, database vulnerabilities, simple password guessing, general hacks, etc. And all the information accessed through these new online applications is going to be out there for the taking. Ease of use and availability on a new level, to the hackers.

    --


    ) Human Kind Vs Human Creation
    ) It'd be interesting to see how many humans would survive to serve us.
    1. Re:Online apps by betterunixthanunix · · Score: 4, Insightful
      Another problem is the users themselves. People like the convenience of a web interface, and don't want to be tied to one computer using an email client. I try to get people to encrypt confidential emails, but as soon as I say, "So you need to set up Thunderbird..." I am met with skepticism. One friend of mine was worried that someone might be reading her emails (because she had used a predictable password); I set up Thunderbird with GPG for her, but within a few weeks she was back to the web interface.

      When it comes to convenience vs. privacy or security, people will choose convenience.

      --
      Palm trees and 8
  2. Ideal situation? by oahazmatt · · Score: 4, Insightful

    People do use private accounts to store work information
    And companies with information that is valuable to other companies should enforce regulations opposing this.

    I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal.
    It's less than optimal to fix the mail server?

    In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point.
    Really? My company does that. My training materials aren't allowed to leave the building.

    The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included
    If they share corporate information through Facebook, do you need that employee?
    --
    Those who believe the Internet is private,
    find their privates are on the Internet.
  3. Yet another "we hate Gmail article"? by SplatMan_DK · · Score: 5, Insightful

    With all respect, why continue this crusade against Google/Gmail?

    Sure, they are a key player in the market, but so is Yahoo, Hotmail, and a number of others.

    From a technical perspective, cross-site scripting (XSS) vulnerabilities isn't exactly a new thing. Nor are they isolated to Gmail.

    The article is not wrong - so I am not attempting to protect Google. On the other hand, this problem is fairly general in nature, and probably applicable to a ton of websites. In fact, the "cookie grabbing technique" is one of the oldest tricks in the areas of XSS.

    With this in mind, the article (and in general the constant rampage against Google) seems ... a tiny bit one-sided. Not only is that unfair for Google (I am not a stockholder, so I will survive) but it also takes away the focus from the real issue: XSS is a big deal, and has do be dealt with. By everybody ... not just by Google.

    :-)

    - Jesper

    --
    My security clearance is so high I have to kill myself if I remember I have it...
  4. Re:Javascript needs a sandbox/security model by Bluesman · · Score: 4, Informative

    Javascript does have a sandbox security model based on the domain name of the javsacript/html source.

    Displaying the html mail in its own internal frame that pulls from a different domain name than the rest of the application should solve the problem you're referring to. Something like mail.googlecontent.com would work nicely.

    --
    If moderation could change anything, it would be illegal.
  5. httponly by Spy+der+Mann · · Score: 4, Informative

    In fact, the "cookie grabbing technique" is one of the oldest tricks in the areas of XSS.
    ... and this is the reason why the "httponly" cookie extension was created. Firefox 3 will support it, and I already modified my PHP framework to use this for the session cookies.
  6. Re:Insecure by Default by pushing-robot · · Score: 5, Interesting

    Google is the new Microsoft, more interested in profit than anything else (security, privacy, user rights)

    This is a XSS browser exploit, which basically means that one site you're visiting can talk to other sites you're logged into. It's not Google's fault; nothing is breaking in to their servers, it's just malicious code running on your computer hijacking the connection you made to Google. It's your browser's fault for not sandboxing sites properly.

    Or to use an real-world analogy, it's like blaming Google because you forgot to log out at an internet cafe and then somebody else sat down and read your email.

    --
    How can I believe you when you tell me what I don't want to hear?
  7. Much More Informative Article Here by Giorgio+Maone · · Score: 5, Informative

    It explains how the exploit works, how developers would/should avoid it and how users could protect themselves: http://hackademix.net/2007/09/26/gmail_csrf/

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript