Gmail Accounts Vulnerable to XSS Exploit

mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."

Oh no!

My google stock. My poor google stock!

Isn't it...

just a bit irresponsible to be coming out with this before Google has had a chance to fix it?

Re:Isn't it...

No. Certainly not. People should be made aware of security issues. Especially for free services like this, where people have no guarantee they will ever be addressed.

Re:Isn't it...

Its not like a local exploit where we can stop using it, or update ourselves.

This SHOULD get maximum exposure. Maybe then the heads in google will jump on this with all their PHDs.

As for not fixing it, I doubt thats an option. Such a monumental failure so start in their public offering will be devistating to them.

Re:Isn't it...

I guess they weren't kidding when they said it's still in beta...

Re:Isn't it...

Actually, those aren't the primary reasons. A Google app can be perfectly stable, and still be in beta, because "beta" for Google means looking for a way to make money off of it.

Now, I don't have a problem with that at all. Also, I do agree that in this case, Google has GMail in beta for other reasons too (maybe not even the making money off it part - AdWords has been adapted to GMail, so they might already be making money off of it).

Re:Isn't it...

Some might agree... others would say that if that was the case, Microsoft (and others) would never fix security holes if they are not known.

Re:Isn't it...

Yes and no.

Yes - Google should have the opportunity to fix this appropriately, not racing against the slew of hackers, crackers, and script kiddies that want to exploit it.

No - People should aware of security risks in the software, hardware, etc. that they use and upon which they rely.

Personally, I prefer to inform the company of vulnerabilities and offer to help fix them. It's helped me land clients and discredit competitors.

Re:Isn't it...

I did see an XSS proof-of-concept exploit (maybe yours) where the hacker imitated a Google page asking the user to pay for Google use. It was quite convincing.

In that case, the exploit had been known for a long time. In the interest of protecting the not-so-savvy (read: gullible) users, publicity may get the attention needed for them to do their jobs. Giving them a reasonable chance to respond with their fix. Two years is way more than reasonable.

To play devil's advocate, I'd say that it's not your responsibility to make sure their site is secure. If they want to leave it there, they can - and publicizing it is simply going to hurt those users that you'd seek to protect. It'll end up hurting Google in the end anyway.

Personally, I prefer to do a "good deed" and help make the web a little safer for people like my wife's grandparents.

Google needs to toss its cookies...

The articles reveal that the basic design of the bug is to snatch the victim's cookie, and then the hacker can use that cookie to get into the account forever more. That cookie will always lead to the victim's account no matter what... even if they log out, even if they change their password, the cookie will still be valid authentication.

The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.

It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.

Re:Google needs to toss its cookies...

I don't believe they use a forever cookie, they use a cookie that's invalidated after you log out OR (optionally) a 2 week cookie.

What I don't like about it is that it doesn't use SSL after you log in.

Re:Google needs to toss its cookies...

The cookie file gets invalidated... but the problem is if you log back in, instead of getting a new value in your new cookie, apparently you get the same old value again. And worse yet, even if you don't log in again, bringing back that old cookie from the dead is all that's needed to log in.

It's not the experation date on the cookie that's the problem, it's the fact that their database still assocates "your cookie" with your account even if there's no authorized cookie in circulation.

Re:Google needs to toss its cookies...

What I don't like about it is that it doesn't use SSL after you log in.

Actaully if you enter "https://gmail.google.com/gmail" in the location bar of your favorite browser you will continue to use a SSL secured connetion after for the duration of your session.

Oh my god!

Maybe some hacker will make a program to break into every gmail account, read their mail, and send them ads about what people are talking about in mails!!!

XSS isn't that big a deal

Cross site scripting should not be considered a vulnerability.

Re:XSS isn't that big a deal

Well, the problem is that we're looking at each individual XSS exploit as a vulnerability when we should be looking at XSS itself as an unwholesome feature in general.

Like when we started treating e-mail as a file transfer protocol, or when documents began to contain executable content, XSS gives an avenue of attack by adding a new and unrequested behavior to something that used to be secure. We need to reduce these channels of exploitation if computers are going to become secure -- especially as we head towards a homogenized environment on the Internet with regards to executable code (.NET/Java).

Re:XSS isn't that big a deal

XSS is not the real problem here. The real problem is that the cookie can be used to authenticate an account. If you get a copy of the cookie and take it to another machine, you could log on using that cookie, even after the cookie has expired. This is a poor design, and XSS is just one way to exploit this. Another would be to simply copy Mozilla's cookies.txt file, or whatever browser you use. Or to sniff out the cookie over the network and use it from then on.

sweet grapes

I waited so long to get a Gmail account, I don't care if it sucks now... I also like Doom3...

Cookie file

So isn't the real issue that there are bugs that allow your cookie file to be exposed? Shouldn't those be considered critical security bugs regardless of what Google does?

I must do my part to help.

The first person to fix the exploit will get a FREE GMAIL INVITE!

Re:I got it

Yeah, I agree. Your gmail account is the best mail I've ever used.

- Anonymous Cookie monster

Danger, Will Robinson

Holy $!@#)( this is bad news. Let's hope the Google people resolve this very, very quickly.. or I'm switching e-mail providers (yet again).

Other bugs??

Did anybody else notice when they were coming up with unique login names when they first set up their gmail account that oftentimes the "Blahblah@gmail.com is taken" message would often be some other email address somebody else was trying? I mean, if you tried "johndoe@gmail.com" and it was taken, sometimes it would respond with "joeschmoe1234@gmail.com is already taken, try again".

PSA: XSS cookie theft

Never heard of XSS until now (like me)? Here is one summary one summary [cgisecurity.com] of what the cookie theft looks like.

it IS a beta...

As the article points out, it's a good thing that this was found before Gmail went into "official" release. I think it's great that Google *admits* that the product is still in beta, instead of releasing it as is and pretending that it's a polished product.

Anybody who uses a beta product for critical email shouldn't be entirely surprised when they run into trouble...

Re:it IS a beta...

Beta should be reserved for functionality, GUI, and interoperability issues.

No that is alpha. Once all the functionality is complete, the GUI has been approved, and the application can talk to the other applications it needs to, THEN the product goes into beta testing.

Beta is there to locate any bugs which made it past the alpha testers. Beta apps are considered feature complete.

Re:it IS a beta...

Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.

Re:it IS a beta...

Care to explain what marketing plan for Gmail you've seen? So far, Google has issued a couple of press releases - announcing its intention to offer email services, etc - but nothing more than that, and it's made it repeatedly clear that the service is in beta.

Have you ever seen more than that? Have you seen any advertising (banner or otherwise) for the service? Just how do you contend that Google is marketing it?

And how the hell are you defining "fairly widespread use"? Just how many Gmail accounts do you think there are? 100,000? A million? Well, in comparison, how many Microsoft Hotmail or Yahoo Mail accounts do you think there are out there? I'd be surprised if Gmail had even a hundredth of the user base that its key competitors possess.

Gmail is in beta. Until they say it's not in beta please accept that nothing should be taken for granted. And the fact is that even "shipped" products aren't error free, so either learn to accept that things sometimes go wrong with software or just stop using a PC altogether.

Re:it IS a beta...

Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.

I highly disagree. When I use a product which is in "Beta" I do not expect it to meet the same level of stability/security etc. To do so is rediculous - anyone who develops software should understand why products of this kind require an extended beta period. It's definitely the best time to make last minute changes, adjustments, and to find problems like this. Finding these problems is the whole point of it being Beta in the first place. Anyone who's using this service for anything important, and then complaining about problems they have (other than as normal beta feedback) is being unreasonable!

From their Terms of Use [google.com]:

you understand and agree that the Service is provided on an AS IS and AS AVAILABLE basis.

Their terms of service are very short, and easy to understand (not like most software agreements) and use of gmail is not only FREE, but it's entirely optional. No one's making you use it. People should not have the same level of expectation for this new service as they do of the original search engine, and if they, that's their own ignorance.

I also highly doubt that this beta period will last that much longer. GMail is becoming popular enough that the bugs and changes should be done soon.

Cheers,
Justin

Is it really forever?

The Nana article says that it works by stealing your cookies, so I don't think the problem should last longer than two weeks, since that's how long the Gmail cookies are supposed to be good for.

I've been using the Gmail account for stuff I could afford to lose, since there doesn't seem to be any way to shift it in bulk to my home computer. Now I'm really glad I didn't use it for anything important.

Need more than just the username

I may be misinterpreting the story, but it sounds to me like you need more than just the username: you need to actually trick the user into giving you their GMail cookie by phishing. Obviously, this is a huge security hole and Google should fix it immediately, but it's not quite the same as the Hotmail backdoor from last year, which didn't require phishing at all. As long as you don't ever click on a link that sends you to GMail from an untrusted source, you should be safe.

Re:Need more than just the username

you need to actually trick the user into giving you their GMail cookie by phishing. ...or by grabbing the cookies left behind by previous users off a public terminal.

But that's a minor concern, no one ever uses a public computing terminal to check webmail, or walks away without logging out properly.

Good thing they are still in beta.

They caught this problem in beta, just as should be done! Bravo!

Brings some true professionalisim to an industry where companies actually ship/sell products with bugs like this all the time.

Easy Fix:

1) Gmail plugs the hole.

2) They change the cookie validation test script in this case to require a different cookie than ones that were being given while the exploit was active.

3) When a counterfeit cookie (or any of the old cookies) tries to validate it's immediately seen as invalid, and the user is then made to login.

Of course, if someone already got at your stuff, well, that's bad.

That sound you hear....

We forgive you google, we wuv google, googie does no wrong, WE FORGIVE U GOOGIE!!!

Nana? Anan?

No no no, they got it all backwards!

(I bet they meant liamG to be vulnerable)

Wives

Time to read our wives e-mail to see if they are cheating or something.

Well this would have been..

news to me, if I could access the damn accounts.

had to tell people to revert to my old e-mail, since invariably I cannot open it.

Crossing my fingers, these issues will be solved in beta.

Not a real problem.

No worries! Remember it is still a beta. It is not like anyone will use this for a serious purpose.

overstatement of exposure

"Because Gmail offers a gigabyte of storage, several times bigger than most other web based mail services, users hardly delete any old correspondence", says Goldshlagger. "The result is a huge amount of mail accumulating in the users' boxes, which frequently include bank notices, passwords, private documents and other files the user wanted to backup. Who ever takes a hold of this data, could literally take over the victim's life and identity".

If you've got ALL THAT INFORMATION already migrated to a BETA service that's been around for ... a handful of months, you're pretty foolish. As far as it goes, I specifically DON'T have anything particularly importang going to my gmail account for exactly this reason--it's unproven as of yet. In fact, I had a two week outage, totally unable to use my gmail box, for uknown reasons. After working with the GMail team, it got fixed, but they never told me the actual cause. Yet another reason not to trust BETA software/services with really crucial information.

And before all the 'bots claim I'm bashing google, quite the contrary. I love GMail. But it's like any other BETA product right now--still working out the kinks.

profile of the guy who did it

is apparently available here [pbskids.org]

Um, access to the cookie?

Um, isn't it true that the hacker would need to be able to get the cookie off the luser's workstation first? Anybody ever heard of a client firewall?

Fixed Perhaps?

I wonder if they fixed it. My session was just expired and I had to login in again. (My latest two week session ended a couple days ago.)

gmail invites to give...

is there anyone still interested ?

Gmail just logged me out - a quickfix already?

I was using the "don't ask my password for two weeks" feature - Gmail just logged me out although the two weeks aren't up, and after logging in again I had a session ID tacked on to the URL like this:

http://gmail.google.com/gmail?_sgh=2f3ab242adinf in itum

which I've never seen before.

I think it'll be a long Friday night at the 'Plex.

Perhaps it's time...

...for Google to start hiring some computer security geeks in addition to the math geeks they've been so aggressively pursuing. Last week is was Google Toolbar that was found to be hole-ridden. This week it's gmail.

The Microsoft argument

I know this group loves to hate Microsoft, but this story rings a bell in my head about the argument Microsoft always gives about its vulnerabilities being discovered the most cos hackers are more interested in finding them. With google having acquired a close to God status with its amazingly engineered products, those same hackers are now targetting its holes (pun intended).

This story talks about this vulnerability in google which allows somone to replace the google page with a simple form telling the user that google is now a subscription service and asking for their credit card details. http://www.theregister.co.uk/2004/10/21/google_des ktop_security_vuln/ [theregister.co.uk]

Is closed-source software always going to be insecure because some hacker somewhere has issues with it? I hope not - cos writing closed source software is my bread and butter.

With google's empire growing the way it is, I wonder if it is the next Microsoft? I sincerely hope not!

If the hackers access my account...

Could you guys at least have the courtesy of deleting all of those ads for mortgage applications? I'm sick of doing it myself.

I'm doing my part...

I sent an email to myself @gmail welcoming any hackers who may be interested in my account!

Gmail down now

Now Gmail is down. anyone got a reason?

Re:doh

Sorry, google only allows usernames with 6 characters or more.

Please enter a longer name, or choose from the following selection:

Dodiddleyoh@gmail.com
Dangdiddleydoh@gmail.com
ArghhhhDoh@gmail.com

Re:cookies are the root of all evil: Addendum 1

Context ID's of course have to be validated so they're invalidated if used from an IP other then the one they were created for.

Re:Why is this news?

Just a handful? Check again pal. Every week or so, I get six more invites to hand out and do so diligently. I've done this many many times. I know dozens of other people who do the same. Initially, a handful of people got accounts 0- probably several thousand... then they invites six buddies (or five buddies and made a spam account for themselves). Those five or six buddies invited five or six of their own... etc. etc. etc. I don't know hard figures, but there are very likely tens if not hundreds of thousands of GMail users, possibly more.

Re:Now everybody,not just Google,can read your ema

what's the difference if a few Hackers get a hold of your account?

You know its not just as simple as you think. I mean I dont care if a few hackers read my email, but what if they decide to use sensitive info in it or delete it.

I run an e-business from Nigeria and earn some money in the process. People email me their bank account numbers, creditcard numbers ,SSNs and what not (I am creative). Now if some immoral hacker got hold of that data , the poor users would be duped twice, and I would feel really bad abt it (I mean I could have got twice the money myself if I wanted). So I request Gmail to help the Nigerian revolution and our fight against AIDS and dictators and fix the bug as soon as possible.

ermm.. reputation can either be gained..

through..

One : Good PR
Two : "Branding"
Three : User Satisfaction

Which one GOOG use?

Re:MOD PARENT IDIOT

Ummm- no it's not. Once more, for the cheap seats- The context ID is only valid from the IP address it was created for and within a certain window of time since last reference.

Re:cookies are the root of all evil

If browsers would just generate a GUID during installation and then have that be part of the HTTP stream there'd be no reason for cookies at all.

So, instead of cookies which I can erase or disable, you want my browser to generate one unique ID (based, in most implementations, on my MAC address) at install time that'd work across sites and send it to servers automatically? Love the privacy implications of that.

Re:cookies are the root of all evil

> Cookies compromise privacy in the same way,

No. Cookies are not the same across sites. Since each site comes up with its own cookie encoding scheme, data sharing becomes difficult (barring schemes like Passport: one reason why Passport in its original form was so creepy). Today, with fine-grained cookie managers (Moz, Opera) you can browse the web pretty privately, at least wrt cookies.

Incidentally, Real once got a lot of flak for incorporating just this feature into Realplayer, all the privacy arguments made then are true now as well.

Classic cookies are supposed to be opaque keys, but in reality people do use them for storing nonsensitive information, like stylesheet info. Your proposal would increase the hassle these people have to go through.

> but also can give the client state control if not used properly

rm if not used properly can hose your $HOME. A backup script used by a technician at your ISP used improperly can hose your Maildir. Doesn't mean rm or backup scripts are bad.

Btw, if you don't like client-side state, I suggest you get prepared for more unpleasantness: I'm predicting in 2-3 years we'll see the first browsers with more sophisticated client state management that'd allow browsers to work with websites (even app-centric websites like Gmail and Flickr) offline.

Re:Now everybody,not just Google,can read your ema

Troll? While I didn't necisarily think the parent post would be moded up, I certainly don't think it deserved a -1! Sigh, out of my hands...I certainly didn't mean to be a troll. I do think that it is legitimate to point out that email is plaintext and that GMail accounts are, in certain ways, already compromised. Seems people are very protective about their GMail...

Re:Hmmm....

Free Flat Screen HERE!

Please put your fucking "free stuff" spam in your sig, so those of us who turn sig display off to avoid having to read "free stuff" spam don't have to read it. Thank you.

Re:OS wars!

Yeah, the authentication scheme for a web service is always integrated into the OS.

Re:Hmmm....

> Free flat Screen HERE!

SPAM in slashdot posts are rude.

Re:Hmmm....

MOD PARENT -1, DESERVES TO BE BITCHSLAP.PL'D FOR SPAMMING SLASHDOT.
(see sig.)
also, you're an idiot. just so you know.