Slashdot Log In
Gmail Accounts Vulnerable to XSS Exploit
Posted by
michael
on Fri Oct 29, 2004 04:27 PM
from the ooooooops dept.
from the ooooooops dept.
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Oh no! (Score:5, Funny)
Isn't it... (Score:2, Insightful)
Re:Isn't it... (Score:5, Insightful)
Parent
Re:Isn't it... (Score:4, Insightful)
This SHOULD get maximum exposure. Maybe then the heads in google will jump on this with all their PHDs.
As for not fixing it, I doubt thats an option. Such a monumental failure so start in their public offering will be devistating to them.
Parent
Re:Isn't it... (Score:2, Insightful)
(and also look sheepishly at the grammatical screwup in my previous post)
Re:Isn't it... (Score:5, Funny)
Parent
Re:Isn't it... (Score:5, Interesting)
Now, I don't have a problem with that at all. Also, I do agree that in this case, Google has GMail in beta for other reasons too (maybe not even the making money off it part - AdWords has been adapted to GMail, so they might already be making money off of it).
Parent
Re:Isn't it... (Score:4, Informative)
Parent
Re:Isn't it... (Score:2, Informative)
Yes - but the key is that you should give the company in question enough time to be able to get a fix out before releasing the issue to the public. I haven't been able to RTFA however unless Google have not taken any action after a reasonable timeframe (say a week) posting the issue on slashdot is not going to solve the problem any faster, and hence is just making
Re:Isn't it... (Score:5, Insightful)
Yes - Google should have the opportunity to fix this appropriately, not racing against the slew of hackers, crackers, and script kiddies that want to exploit it.
No - People should aware of security risks in the software, hardware, etc. that they use and upon which they rely.
Personally, I prefer to inform the company of vulnerabilities and offer to help fix them. It's helped me land clients and discredit competitors.
Parent
Re:Isn't it... (Score:5, Interesting)
In that case, the exploit had been known for a long time. In the interest of protecting the not-so-savvy (read: gullible) users, publicity may get the attention needed for them to do their jobs. Giving them a reasonable chance to respond with their fix. Two years is way more than reasonable.
To play devil's advocate, I'd say that it's not your responsibility to make sure their site is secure. If they want to leave it there, they can - and publicizing it is simply going to hurt those users that you'd seek to protect. It'll end up hurting Google in the end anyway.
Personally, I prefer to do a "good deed" and help make the web a little safer for people like my wife's grandparents.
Parent
Google needs to toss its cookies... (Score:5, Informative)
The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.
It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.
Re:Google needs to toss its cookies... (Score:5, Informative)
What I don't like about it is that it doesn't use SSL after you log in.
Parent
Re:Google needs to toss its cookies... (Score:5, Informative)
It's not the experation date on the cookie that's the problem, it's the fact that their database still assocates "your cookie" with your account even if there's no authorized cookie in circulation.
Parent
Re:Google needs to toss its cookies... (Score:5, Informative)
Parent
Re:Google needs to toss its cookies... (Score:3, Funny)
Re:Google needs to toss its cookies... (Score:3, Insightful)
I know that my email travels through routers and ISPs in the clear, but they probably don't know me personally. I'm more worried about my roommates sniffing the traffic coming from my computer to the gateway and reading
Oh my god! (Score:5, Funny)
XSS isn't that big a deal (Score:2)
Re:XSS isn't that big a deal (Score:5, Insightful)
Like when we started treating e-mail as a file transfer protocol, or when documents began to contain executable content, XSS gives an avenue of attack by adding a new and unrequested behavior to something that used to be secure. We need to reduce these channels of exploitation if computers are going to become secure -- especially as we head towards a homogenized environment on the Internet with regards to executable code (.NET/Java).
Parent
Re:XSS isn't that big a deal (Score:5, Interesting)
Parent
sweet grapes (Score:5, Funny)
Cookie file (Score:2)
I must do my part to help. (Score:5, Funny)
I got it (Score:2)
Can I have that invite now?
Just joking I already have a gmail account, as a sidenote gmail is the best free email service I have used.
Re:I got it (Score:5, Funny)
- Anonymous Cookie monster
Parent
Re:I must do my part to help. (Score:2, Funny)
Other bugs?? (Score:4, Interesting)
PSA: XSS cookie theft (Score:5, Informative)
Is it really forever? (Score:2)
I've been using the Gmail account for stuff I could afford to lose, since there doesn't seem to be any way to shift it in bulk to my home computer. Now I'm really glad I didn't use it for anything important.
Need more than just the username (Score:5, Informative)
Re:Need more than just the username (Score:5, Insightful)
But that's a minor concern, no one ever uses a public computing terminal to check webmail, or walks away without logging out properly.
Parent
Good thing they are still in beta. (Score:5, Funny)
Brings some true professionalisim to an industry where companies actually ship/sell products with bugs like this all the time.
Easy Fix: (Score:5, Insightful)
1) Gmail plugs the hole.
2) They change the cookie validation test script in this case to require a different cookie than ones that were being given while the exploit was active.
3) When a counterfeit cookie (or any of the old cookies) tries to validate it's immediately seen as invalid, and the user is then made to login.
Of course, if someone already got at your stuff, well, that's bad.
Wives (Score:5, Funny)
Not a real problem. (Score:5, Insightful)
overstatement of exposure (Score:3, Insightful)
If you've got ALL THAT INFORMATION already migrated to a BETA service that's been around for ... a handful of months, you're pretty foolish. As far as it goes, I specifically DON'T have anything particularly importang going to my gmail account for exactly this reason--it's unproven as of yet. In fact, I had a two week outage, totally unable to use my gmail box, for uknown reasons. After working with the GMail team, it got fixed, but they never told me the actual cause. Yet another reason not to trust BETA software/services with really crucial information.
And before all the 'bots claim I'm bashing google, quite the contrary. I love GMail. But it's like any other BETA product right now--still working out the kinks.
Fixed Perhaps? (Score:4, Interesting)
I wonder if they fixed it. My session was just expired and I had to login in again. (My latest two week session ended a couple days ago.)
Gmail just logged me out - a quickfix already? (Score:5, Interesting)
http://gmail.google.com/gmail?_sgh=2f3ab242adin
which I've never seen before.
I think it'll be a long Friday night at the 'Plex.
The Microsoft argument (Score:3, Interesting)
This story talks about this vulnerability in google which allows somone to replace the google page with a simple form telling the user that google is now a subscription service and asking for their credit card details. http://www.theregister.co.uk/2004/10/21/google_des ktop_security_vuln/ [theregister.co.uk]
Is closed-source software always going to be insecure because some hacker somewhere has issues with it? I hope not - cos writing closed source software is my bread and butter.
With google's empire growing the way it is, I wonder if it is the next Microsoft? I sincerely hope not!
Re:The Microsoft argument (Score:3, Insightful)
The reason we're getting this deluge of security flaws in google now is simply because people are now looking, they're easy to find, the XSS flaws are trivial (like ignoring you're encode user input
Re:it IS a beta... (Score:2)
I wonder how many people are using this 'beta'?
Re:it IS a beta... (Score:5, Informative)
No that is alpha. Once all the functionality is complete, the GUI has been approved, and the application can talk to the other applications it needs to, THEN the product goes into beta testing.
Beta is there to locate any bugs which made it past the alpha testers. Beta apps are considered feature complete.
Parent
Re:it IS a beta... (Score:5, Insightful)
Parent
Re:it IS a beta... (Score:3, Insightful)
Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.
Agreed, maybe Google is laurel resting in the wake of the IPO.
Do you remember web searching prior-Google? I used to take pride in knowing the Hotbot and AltaVista switches (and nand not) but Google's 1998 blew all that away. That level of knowl
Re:it IS a beta... (Score:5, Insightful)
Have you ever seen more than that? Have you seen any advertising (banner or otherwise) for the service? Just how do you contend that Google is marketing it?
And how the hell are you defining "fairly widespread use"? Just how many Gmail accounts do you think there are? 100,000? A million? Well, in comparison, how many Microsoft Hotmail or Yahoo Mail accounts do you think there are out there? I'd be surprised if Gmail had even a hundredth of the user base that its key competitors possess.
Gmail is in beta. Until they say it's not in beta please accept that nothing should be taken for granted. And the fact is that even "shipped" products aren't error free, so either learn to accept that things sometimes go wrong with software or just stop using a PC altogether.
Parent
Re:it IS a beta... (Score:5, Informative)
I highly disagree. When I use a product which is in "Beta" I do not expect it to meet the same level of stability/security etc. To do so is rediculous - anyone who develops software should understand why products of this kind require an extended beta period. It's definitely the best time to make last minute changes, adjustments, and to find problems like this. Finding these problems is the whole point of it being Beta in the first place. Anyone who's using this service for anything important, and then complaining about problems they have (other than as normal beta feedback) is being unreasonable!
From their Terms of Use [google.com]: Their terms of service are very short, and easy to understand (not like most software agreements) and use of gmail is not only FREE, but it's entirely optional. No one's making you use it. People should not have the same level of expectation for this new service as they do of the original search engine, and if they, that's their own ignorance.
I also highly doubt that this beta period will last that much longer. GMail is becoming popular enough that the bugs and changes should be done soon.
Cheers,
Justin
Parent
Re:Now everybody,not just Google,can read your ema (Score:5, Funny)
You know its not just as simple as you think. I mean I dont care if a few hackers read my email, but what if they decide to use sensitive info in it or delete it.
I run an e-business from Nigeria and earn some money in the process. People email me their bank account numbers, creditcard numbers
Parent
Re:cookies are the root of all evil (Score:4, Interesting)
No. Cookies are not the same across sites. Since each site comes up with its own cookie encoding scheme, data sharing becomes difficult (barring schemes like Passport: one reason why Passport in its original form was so creepy). Today, with fine-grained cookie managers (Moz, Opera) you can browse the web pretty privately, at least wrt cookies.
Incidentally, Real once got a lot of flak for incorporating just this feature into Realplayer, all the privacy arguments made then are true now as well.
Classic cookies are supposed to be opaque keys, but in reality people do use them for storing nonsensitive information, like stylesheet info. Your proposal would increase the hassle these people have to go through.
> but also can give the client state control if not used properly
rm if not used properly can hose your $HOME. A backup script used by a technician at your ISP used improperly can hose your Maildir. Doesn't mean rm or backup scripts are bad.
Btw, if you don't like client-side state, I suggest you get prepared for more unpleasantness: I'm predicting in 2-3 years we'll see the first browsers with more sophisticated client state management that'd allow browsers to work with websites (even app-centric websites like Gmail and Flickr) offline.
Parent
Re:cookies are the root of all evil: Addendum 1 (Score:3, Informative)
You gotta get out more. :)
Lots of companies are behind load-balanced proxy servers. To a server, requests for a particular session are coming from a small number of IP addresses of the proxies.