Slashdot Mirror
Google Goes On Offensive vs. JavaScript Attacks
alphadogg writes "Google's e-mail security team has updated its Postini engine to stop a new type of JavaScript attack that helped fuel a rise in spam volume in recent months.
Google says it has seen a surge in obfuscated JavaScript attacks, describing them as a hybrid between virus and spam messages. The e-mails are designed to look like legitimate messages, specifically Non Delivery Report messages, but contain hidden JavaScript.
'In some cases, the message may have forwarded the user's browser to a pharma site or tried to download something unexpected,' Google said in its official blog."
TFA should have read: "Google has found a vulnerability in its gmail code that could be used to execute arbitrary JS code in the user's browser".
Instead, they played that down and used the "we are fighting JS attacks" phrase as if that was normal or common.
Failing to properly escape JS/HTML/CSS in a webservice is a MAJOR vulnerability.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
Nobody is allowing javascript in emails. This is a BUG in Gmail's code, not the user's fault. You use a browser to see your email. Spammers managed to somehow escape JS code and pass it through all of google's filters and execute it in your browser.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
I hate to say it, but Cheap Canadian Online Pharmaceuticals is not your friend.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
I just tested this. I send a message to my Hotmail box with HTML file as attachement. HTML file contains single script tag with document.location = 'http://google.com' inside. I opened the mail and opened the attachement. Internet Explorer asks if I want to save "test.html" or open it. This should ring bells big time but I understand that normal user doesn't get it and goes and opens the attachment. So I went and clicked Open and was redirected to google.com.
Now if I save the file and try to open it from the local folder I get nice yellow warning bar telling me that the file contains An Evil Script and if I really, really want to open it I must explicitly allow the script to run. If I go and allow the script then I'm at google.com again.
It seems that this is a simple, direct and rather effective attack against Joe Averages who just want to get rid of the stupid warning dialogs and open up everything that is sent to them. If Google can come up with a generic solution for this, other than try to rip off every HTML tag from the mails and their attachements, I really applaud them.
Maybe the browser shouldn't be allowed to be redirected outside the current domain by default? But then again, there would have to be warning dialog for that and Joe Average would still be out of luck.
You don't know what you don't know.
In this case the email client is the web browser. I'm not sure if gmail allows you to disable HTML in the emails you receive.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
If Google is responding to existing attacks, wouldn't they be going on the defensive?
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Because of the confusion that seems rampant...
Postini is an anti-spam/anti-virus mail filtering service that sits between your mail system and the internet. Companies (mostly) use it to stop malicious emails getting into their internal mail systems. GMail is a web-mail system which is probably protected by Postini also since Google owns both.
--- Mercutio was right.