Gmail Accounts Vulnerable to XSS Exploit 232
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
Google needs to toss its cookies... (Score:5, Informative)
The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.
It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.
Re:Google needs to toss its cookies... (Score:5, Informative)
What I don't like about it is that it doesn't use SSL after you log in.
Re:Isn't it... (Score:4, Informative)
Re:Google needs to toss its cookies... (Score:5, Informative)
It's not the experation date on the cookie that's the problem, it's the fact that their database still assocates "your cookie" with your account even if there's no authorized cookie in circulation.
PSA: XSS cookie theft (Score:5, Informative)
Re:Isn't it... (Score:2, Informative)
Yes - but the key is that you should give the company in question enough time to be able to get a fix out before releasing the issue to the public. I haven't been able to RTFA however unless Google have not taken any action after a reasonable timeframe (say a week) posting the issue on slashdot is not going to solve the problem any faster, and hence is just making more kiddies aware of this.
Keeping an issue you discovered 'secret' for a reasonable timeframe is the much more sensible option, you only need to go public if the issue is not fixed promptly.
Need more than just the username (Score:5, Informative)
Re:Google needs to toss its cookies... (Score:5, Informative)
Re:it IS a beta... (Score:5, Informative)
No that is alpha. Once all the functionality is complete, the GUI has been approved, and the application can talk to the other applications it needs to, THEN the product goes into beta testing.
Beta is there to locate any bugs which made it past the alpha testers. Beta apps are considered feature complete.
Comment removed (Score:2, Informative)
Re:Other bugs?? (Score:1, Informative)
http://www.networksecurityarchive.org/html/FullDi
Re:it IS a beta... (Score:5, Informative)
I highly disagree. When I use a product which is in "Beta" I do not expect it to meet the same level of stability/security etc. To do so is rediculous - anyone who develops software should understand why products of this kind require an extended beta period. It's definitely the best time to make last minute changes, adjustments, and to find problems like this. Finding these problems is the whole point of it being Beta in the first place. Anyone who's using this service for anything important, and then complaining about problems they have (other than as normal beta feedback) is being unreasonable!
From their Terms of Use [google.com]: Their terms of service are very short, and easy to understand (not like most software agreements) and use of gmail is not only FREE, but it's entirely optional. No one's making you use it. People should not have the same level of expectation for this new service as they do of the original search engine, and if they, that's their own ignorance.
I also highly doubt that this beta period will last that much longer. GMail is becoming popular enough that the bugs and changes should be done soon.
Cheers,
Justin
Re:Isn't it... (Score:2, Informative)
That was mine, that one has since been fixed http://jibbering.com/2004/10/google.html [jibbering.com] -I know of a couple of others though which have yet to go public.
I agree it's googles responsibility, and some of the flaws that are th ere aren't the bugs of people who understand the issues - one of the google desktop bugs is because a search for <script>alert(1)</script> is written straight into the source of the document unencoded!
That's not a bug of developers who know what they're doing, or have good security procedures in place. I think they need a lot of publicity so like MS can start getting a real culture of security in.
Re:cookies are the root of all evil: Addendum 1 (Score:3, Informative)
You gotta get out more. :)
Lots of companies are behind load-balanced proxy servers. To a server, requests for a particular session are coming from a small number of IP addresses of the proxies.