Gmail Accounts Vulnerable to XSS Exploit 232
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
Oh no! (Score:5, Funny)
Isn't it... (Score:2, Insightful)
Re:Isn't it... (Score:5, Insightful)
Re:Isn't it... (Score:4, Insightful)
This SHOULD get maximum exposure. Maybe then the heads in google will jump on this with all their PHDs.
As for not fixing it, I doubt thats an option. Such a monumental failure so start in their public offering will be devistating to them.
Re:Isn't it... (Score:2, Insightful)
(and also look sheepishly at the grammatical screwup in my previous post)
Re:Isn't it... (Score:5, Funny)
Re:Isn't it... (Score:2)
Jason
ProfQuotes [profquotes.com]
Re:Isn't it... (Score:5, Interesting)
Now, I don't have a problem with that at all. Also, I do agree that in this case, Google has GMail in beta for other reasons too (maybe not even the making money off it part - AdWords has been adapted to GMail, so they might already be making money off of it).
Re:Isn't it... (Score:2, Funny)
Re:Isn't it... (Score:4, Informative)
Re:Isn't it... (Score:2, Informative)
Yes - but the key is that you should give the company in question enough time to be able to get a fix out before releasing the issue to the public. I haven't been able to RTFA however unless Google have not taken any action after a reasonable timeframe (say a week) posting the issue on slashdot is not going to solve the problem any faster, and hence is just making
Re:Isn't it... (Score:5, Insightful)
Yes - Google should have the opportunity to fix this appropriately, not racing against the slew of hackers, crackers, and script kiddies that want to exploit it.
No - People should aware of security risks in the software, hardware, etc. that they use and upon which they rely.
Personally, I prefer to inform the company of vulnerabilities and offer to help fix them. It's helped me land clients and discredit competitors.
Re:Isn't it... (Score:5, Interesting)
In that case, the exploit had been known for a long time. In the interest of protecting the not-so-savvy (read: gullible) users, publicity may get the attention needed for them to do their jobs. Giving them a reasonable chance to respond with their fix. Two years is way more than reasonable.
To play devil's advocate, I'd say that it's not your responsibility to make sure their site is secure. If they want to leave it there, they can - and publicizing it is simply going to hurt those users that you'd seek to protect. It'll end up hurting Google in the end anyway.
Personally, I prefer to do a "good deed" and help make the web a little safer for people like my wife's grandparents.
Re:Isn't it... (Score:2, Informative)
That was mine, that one has since been fixed http://jibbering.com/2004/10/google.html [jibbering.com] -I know of a couple of others though which have yet to go public.
I agree it's googles responsibility, and some of the flaws that are th ere aren't the bugs of people who understand the issues - one of the google desktop bugs is because a search for <script>alert(1)</script> is written straight into the source of the document unencoded!
That's not a bug of developers who know what they're doing, or have good
Re:Isn't it... (Score:2, Insightful)
Just about every MS security hole that comes out has the exploit code attached. Sense google's not an "evil" company the exploit is kept secret? What is the reason that an Operating System Security Hole is given with code and a beta webmail service exploit isn't?
IIRC: Wasn't hotmail's exploit also given with a snippit of code/instructions on how to do it? This is the same thing but with a different company.
I'm not trying to say "release the 'sploit" but
Re:Isn't it... (Score:2)
Re:Isn't it... (Score:2, Insightful)
In both instances your harmnig the user with these exploites (given hotmail/gmail's exploits). Also with the OS exploites. The users is harmed. Sure this indirectly harms MS but your still exposing the users of the product.
What this amounts to IMHO is that for some reason gmail users are more precious then hotmail users or that hotmail users diserve to be hacked becuause they are users of the service. Thats shows a rather large power trip issue on the part of the
Re:Isn't it... (Score:2)
It's not a power trip per se (I suppose it is in some cases), but a disdain for (for example) hotmail and microsoft and the users thereof. You find much the same sort of attitude toward AOL. In the case of Hotmail/Microsoft it's increased by Microsofts (percie
gmail is free beta, windows is paid and finished? (Score:2)
Code exploits released with MS warnings are just way to get MS to move its lazy fat ass. Talk to the people that have tried to warn MS in the past before going public. After trying for months and months knowing that if the "whitehat" hacker knew then a "blackhat" hacker might also have found out wit
Google needs to toss its cookies... (Score:5, Informative)
The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.
It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.
Re:Google needs to toss its cookies... (Score:5, Informative)
What I don't like about it is that it doesn't use SSL after you log in.
Re:Google needs to toss its cookies... (Score:5, Informative)
It's not the experation date on the cookie that's the problem, it's the fact that their database still assocates "your cookie" with your account even if there's no authorized cookie in circulation.
Re:Google needs to toss its cookies... (Score:2, Interesting)
Re:Google needs to toss its cookies... (Score:2)
Re:Google needs to toss its cookies... (Score:2)
Re:Google needs to toss its cookies... (Score:2, Insightful)
The hash or whatever that validates the cookie's authenticity should have the IP address and expiry time (from the servers point of view) embedded in it. Why this isn't part of some standard library for a software house like Google makes me wonder...
Re:Google needs to toss its cookies... (Score:2)
Re:Google needs to toss its cookies... (Score:2)
One possible approach would be to put the expiry time in the clear in the cookie but also to hash it with the password so that (assuming the hashing algorithm is good) you can only edit the cookie if you know the password. Of course, the easier option would just be to have the session expire on the server, just like every other system under the sun.
You can't use the remote IP address, though, because several ISPs (AOL, for instance) use a pool of HTTP proxy servers to handle HTTP requests for users, so eac
Re:Google needs to toss its cookies... (Score:5, Informative)
Re:Google needs to toss its cookies... (Score:2)
Re:Google needs to toss its cookies... (Score:3, Funny)
Re:Google needs to toss its cookies... (Score:3, Insightful)
I know that my email travels through routers and ISPs in the clear, but they probably don't know me personally. I'm more worried about my roommates sniffing the traffic coming from my computer to the gateway and reading
Re:Google needs to toss its cookies... (Score:2)
Oh my god! (Score:5, Funny)
XSS isn't that big a deal (Score:2)
Re:XSS isn't that big a deal (Score:5, Insightful)
Like when we started treating e-mail as a file transfer protocol, or when documents began to contain executable content, XSS gives an avenue of attack by adding a new and unrequested behavior to something that used to be secure. We need to reduce these channels of exploitation if computers are going to become secure -- especially as we head towards a homogenized environment on the Internet with regards to executable code (.NET/Java).
Re:XSS isn't that big a deal (Score:5, Interesting)
Re:XSS isn't that big a deal (Score:2, Insightful)
Re:XSS isn't that big a deal (Score:2)
Your other examples are wrong, too.
sweet grapes (Score:5, Funny)
Re:sweet grapes (Score:2)
Re:sweet grapes (Score:2)
Re:sweet grapes (Score:2)
Cookie file (Score:2)
Well no. (Score:2)
Yes in an ideal world all browsers would be 100% safe but they are not. Cookies being stolen is sadly it seems a problem that can't be fixed. So GUARD against it. Google should know better. There are a lot of tricks you can use to make certain that a cookie is indeed
I must do my part to help. (Score:5, Funny)
I got it (Score:2)
Can I have that invite now?
Just joking I already have a gmail account, as a sidenote gmail is the best free email service I have used.
Re:I got it (Score:5, Funny)
- Anonymous Cookie monster
Re:I must do my part to help. (Score:2, Funny)
Re:I must do my part to help. (Score:2, Offtopic)
No IPods or the like though. Nyer.
Re:I must do my part to help. (Score:2)
Other bugs?? (Score:4, Interesting)
PSA: XSS cookie theft (Score:5, Informative)
Is it really forever? (Score:2)
I've been using the Gmail account for stuff I could afford to lose, since there doesn't seem to be any way to shift it in bulk to my home computer. Now I'm really glad I didn't use it for anything important.
Re:Is it really forever? (Score:2)
Works great for me.
Need more than just the username (Score:5, Informative)
Re:Need more than just the username (Score:5, Insightful)
But that's a minor concern, no one ever uses a public computing terminal to check webmail, or walks away without logging out properly.
Re:Need more than just the username (Score:2)
Re:Need more than just the username (Score:2)
Good thing they are still in beta. (Score:5, Funny)
Brings some true professionalisim to an industry where companies actually ship/sell products with bugs like this all the time.
Easy Fix: (Score:5, Insightful)
1) Gmail plugs the hole.
2) They change the cookie validation test script in this case to require a different cookie than ones that were being given while the exploit was active.
3) When a counterfeit cookie (or any of the old cookies) tries to validate it's immediately seen as invalid, and the user is then made to login.
Of course, if someone already got at your stuff, well, that's bad.
Wives (Score:5, Funny)
Re:Wives (Score:2)
Re:Wives (Score:2)
Re:Wives (Score:2)
Well this would have been.. (Score:2, Interesting)
had to tell people to revert to my old e-mail, since invariably I cannot open it.
Crossing my fingers, these issues will be solved in beta.
Not a real problem. (Score:5, Insightful)
Re:Not a real problem. (Score:2, Insightful)
The thousands of people using Gmail don't care that it has a little tiny word "beta" at the top. They've got mail in there that probably shouldn't be seen by other people. (Personal communications, private chats, possibly much more.)
It IS a real problem for anyone who doesn't want their email being read by others.
overstatement of exposure (Score:3, Insightful)
If you've got ALL THAT INFORMATION already migrated to a BETA service that's been around for ... a handful of months, you're pretty foolish. As far as it goes, I specifically DON'T have anything particularly importang going to my gmail account for exactly this reason--it's unproven as of yet. In fact, I had a two week outage, totally unable to use my gmail box, for uknown reasons. After working with the GMail team, it got fixed, but they never told me the actual cause. Yet another reason not to trust BETA software/services with really crucial information.
And before all the 'bots claim I'm bashing google, quite the contrary. I love GMail. But it's like any other BETA product right now--still working out the kinks.
Fixed Perhaps? (Score:4, Interesting)
I wonder if they fixed it. My session was just expired and I had to login in again. (My latest two week session ended a couple days ago.)
Re:Fixed Perhaps? (Score:2)
Gmail just logged me out - a quickfix already? (Score:5, Interesting)
http://gmail.google.com/gmail?_sgh=2f3ab242adin
which I've never seen before.
I think it'll be a long Friday night at the 'Plex.
Server error now (Score:2)
Re:Gmail just logged me out - a quickfix already? (Score:2)
The Microsoft argument (Score:3, Interesting)
This story talks about this vulnerability in google which allows somone to replace the google page with a simple form telling the user that google is now a subscription service and asking for their credit card details. http://www.theregister.co.uk/2004/10/21/google_des ktop_security_vuln/ [theregister.co.uk]
Is closed-source software always going to be insecure because some hacker somewhere has issues with it? I hope not - cos writing closed source software is my bread and butter.
With google's empire growing the way it is, I wonder if it is the next Microsoft? I sincerely hope not!
Re:The Microsoft argument (Score:3, Insightful)
The reason we're getting this deluge of security flaws in google now is simply because people are now looking, they're easy to find, the XSS flaws are trivial (like ignoring you're encode user input
If the hackers access my account... (Score:2, Funny)
Re:it IS a beta... (Score:2)
I wonder how many people are using this 'beta'?
Re:it IS a beta... (Score:5, Informative)
No that is alpha. Once all the functionality is complete, the GUI has been approved, and the application can talk to the other applications it needs to, THEN the product goes into beta testing.
Beta is there to locate any bugs which made it past the alpha testers. Beta apps are considered feature complete.
Re:it IS a beta... (Score:2)
By GUI, I meant GUI usability. Again, can be tested inhouse with a limited number of users, but you need to let it loose with a wide range of regular civilians.
Funcionality = "Hey, wouldn't it be neat if it did X". "ok...we'll see"
But again, cookie/security issues such as this should never made it past alpha.
Re: (Score:2, Informative)
Re:it IS a beta... (Score:2)
It is illogical to do bugtesting first and add features afterwards. Each and every feature could potentially cause security problems.
That's why you add features in alpha stage, and do the bugtesting at beta stage. That's why it's called "beta testing"...
Of course, it's perfectly okay to add a feature, bugtest it, add another feature, bugtest it an
Re:it IS a beta... (Score:5, Insightful)
Re:it IS a beta... (Score:3, Insightful)
Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.
Agreed, maybe Google is laurel resting in the wake of the IPO.
Do you remember web searching prior-Google? I used to take pride in knowing the Hotbot and AltaVista switches (and nand not) but Google's 1998 blew all that away. That level of knowl
Re:it IS a beta... (Score:5, Insightful)
Have you ever seen more than that? Have you seen any advertising (banner or otherwise) for the service? Just how do you contend that Google is marketing it?
And how the hell are you defining "fairly widespread use"? Just how many Gmail accounts do you think there are? 100,000? A million? Well, in comparison, how many Microsoft Hotmail or Yahoo Mail accounts do you think there are out there? I'd be surprised if Gmail had even a hundredth of the user base that its key competitors possess.
Gmail is in beta. Until they say it's not in beta please accept that nothing should be taken for granted. And the fact is that even "shipped" products aren't error free, so either learn to accept that things sometimes go wrong with software or just stop using a PC altogether.
Re:it IS a beta... (Score:5, Informative)
I highly disagree. When I use a product which is in "Beta" I do not expect it to meet the same level of stability/security etc. To do so is rediculous - anyone who develops software should understand why products of this kind require an extended beta period. It's definitely the best time to make last minute changes, adjustments, and to find problems like this. Finding these problems is the whole point of it being Beta in the first place. Anyone who's using this service for anything important, and then complaining about problems they have (other than as normal beta feedback) is being unreasonable!
From their Terms of Use [google.com]: Their terms of service are very short, and easy to understand (not like most software agreements) and use of gmail is not only FREE, but it's entirely optional. No one's making you use it. People should not have the same level of expectation for this new service as they do of the original search engine, and if they, that's their own ignorance.
I also highly doubt that this beta period will last that much longer. GMail is becoming popular enough that the bugs and changes should be done soon.
Cheers,
Justin
Of course it is. (Score:2)
But you said it was public!!!
I guess I'll just have to hope that somebody gives me a private invitation so that I can become a beta-tester.
Re:Why is this news? (Score:2)
Re:Now everybody,not just Google,can read your ema (Score:5, Funny)
You know its not just as simple as you think. I mean I dont care if a few hackers read my email, but what if they decide to use sensitive info in it or delete it.
I run an e-business from Nigeria and earn some money in the process. People email me their bank account numbers, creditcard numbers
Re:Now everybody,not just Google,can read your ema (Score:2, Insightful)
Re:Hmmm.... (Score:2, Insightful)
Please put your fucking "free stuff" spam in your sig, so those of us who turn sig display off to avoid having to read "free stuff" spam don't have to read it. Thank you.
Re:Hmmm.... (Score:2)
(see sig.)
also, you're an idiot. just so you know.
Re:cookies are the root of all evil (Score:2)
Re:cookies are the root of all evil (Score:2)
With a machine-unique ID, in order to get around it as a unique identifier, you have to fight against what your own software is doing (i.e. trick it into sending a different ID). So that makes it so that people who aren't previously aware of the issue won't even know that they CAN disable it. It takes securing your pr
Re:cookies are the root of all evil (Score:4, Interesting)
No. Cookies are not the same across sites. Since each site comes up with its own cookie encoding scheme, data sharing becomes difficult (barring schemes like Passport: one reason why Passport in its original form was so creepy). Today, with fine-grained cookie managers (Moz, Opera) you can browse the web pretty privately, at least wrt cookies.
Incidentally, Real once got a lot of flak for incorporating just this feature into Realplayer, all the privacy arguments made then are true now as well.
Classic cookies are supposed to be opaque keys, but in reality people do use them for storing nonsensitive information, like stylesheet info. Your proposal would increase the hassle these people have to go through.
> but also can give the client state control if not used properly
rm if not used properly can hose your $HOME. A backup script used by a technician at your ISP used improperly can hose your Maildir. Doesn't mean rm or backup scripts are bad.
Btw, if you don't like client-side state, I suggest you get prepared for more unpleasantness: I'm predicting in 2-3 years we'll see the first browsers with more sophisticated client state management that'd allow browsers to work with websites (even app-centric websites like Gmail and Flickr) offline.
Re:cookies are the root of all evil: Addendum 1 (Score:2)
Actually, I've read about it here on Slashdot, so take it with a grain of salt.
Re:cookies are the root of all evil: Addendum 1 (Score:3, Informative)
You gotta get out more. :)
Lots of companies are behind load-balanced proxy servers. To a server, requests for a particular session are coming from a small number of IP addresses of the proxies.
Re:MOD PARENT IDIOT (Score:2, Insightful)
This technique has been in use at several moderate (> 50k users/mo) traffic sites I've worked on with no problems and no complaints for several years. And, state control is completely server side.
If you like cookies, off you go. I'll choose the more secure solution for now.
Re:OS wars! (Score:2)
Re:OS wars! (Score:2)
Hey! Keep IIS out of this!