Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Bug Businesses Google The Internet

Gmail Accounts Vulnerable to XSS Exploit 232

Posted by michael from the ooooooops dept.
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
This discussion has been archived. No new comments can be posted.

Gmail Accounts Vulnerable to XSS Exploit More

Gmail Accounts Vulnerable to XSS Exploit

Comments Filter:

  • Google needs to toss its cookies... (Score:5, Informative)

    by LostCluster ( 625375 ) * on Friday October 29, 2004 @05:29PM (#10667713)
    The articles reveal that the basic design of the bug is to snatch the victim's cookie, and then the hacker can use that cookie to get into the account forever more. That cookie will always lead to the victim's account no matter what... even if they log out, even if they change their password, the cookie will still be valid authentication.

    The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.

    It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.

  • Re:Google needs to toss its cookies... (Score:5, Informative)

    by ArbitraryConstant ( 763964 ) on Friday October 29, 2004 @05:31PM (#10667733) Homepage
    I don't believe they use a forever cookie, they use a cookie that's invalidated after you log out OR (optionally) a 2 week cookie.

    What I don't like about it is that it doesn't use SSL after you log in.

  • Re:Isn't it... (Score:4, Informative)

    by DaHat ( 247651 ) on Friday October 29, 2004 @05:34PM (#10667764)
    Some might agree... others would say that if that was the case, Microsoft (and others) would never fix security holes if they are not known.

  • Re:Google needs to toss its cookies... (Score:5, Informative)

    by LostCluster ( 625375 ) * on Friday October 29, 2004 @05:34PM (#10667767)
    The cookie file gets invalidated... but the problem is if you log back in, instead of getting a new value in your new cookie, apparently you get the same old value again. And worse yet, even if you don't log in again, bringing back that old cookie from the dead is all that's needed to log in.

    It's not the experation date on the cookie that's the problem, it's the fact that their database still assocates "your cookie" with your account even if there's no authorized cookie in circulation.

  • PSA: XSS cookie theft (Score:5, Informative)

    by whovian ( 107062 ) on Friday October 29, 2004 @05:37PM (#10667793)
    Never heard of XSS until now (like me)? Here is one summary one summary [cgisecurity.com] of what the cookie theft looks like.

  • Re:Isn't it... (Score:2, Informative)

    by a16 ( 783096 ) on Friday October 29, 2004 @05:39PM (#10667806)
    Some might agree... others would say that if that was the case, Microsoft (and others) would never fix security holes if they are not known.

    Yes - but the key is that you should give the company in question enough time to be able to get a fix out before releasing the issue to the public. I haven't been able to RTFA however unless Google have not taken any action after a reasonable timeframe (say a week) posting the issue on slashdot is not going to solve the problem any faster, and hence is just making more kiddies aware of this.

    Keeping an issue you discovered 'secret' for a reasonable timeframe is the much more sensible option, you only need to go public if the issue is not fixed promptly.

  • Need more than just the username (Score:5, Informative)

    by Dominic_Mazzoni ( 125164 ) on Friday October 29, 2004 @05:40PM (#10667818) Homepage
    I may be misinterpreting the story, but it sounds to me like you need more than just the username: you need to actually trick the user into giving you their GMail cookie by phishing. Obviously, this is a huge security hole and Google should fix it immediately, but it's not quite the same as the Hotmail backdoor from last year, which didn't require phishing at all. As long as you don't ever click on a link that sends you to GMail from an untrusted source, you should be safe.

  • Re:Google needs to toss its cookies... (Score:5, Informative)

    by kinema ( 630983 ) on Friday October 29, 2004 @05:45PM (#10667864)
    What I don't like about it is that it doesn't use SSL after you log in.
    Actaully if you enter "https://gmail.google.com/gmail" in the location bar of your favorite browser you will continue to use a SSL secured connetion after for the duration of your session.

  • Re:it IS a beta... (Score:5, Informative)

    by RetroGeek ( 206522 ) on Friday October 29, 2004 @06:12PM (#10668083) Homepage
    Beta should be reserved for functionality, GUI, and interoperability issues.

    No that is alpha. Once all the functionality is complete, the GUI has been approved, and the application can talk to the other applications it needs to, THEN the product goes into beta testing.

    Beta is there to locate any bugs which made it past the alpha testers. Beta apps are considered feature complete.

  • Comment removed (Score:2, Informative)

    by account_deleted ( 4530225 ) on Friday October 29, 2004 @06:16PM (#10668137)
    Comment removed based on user account deletion

  • Re:Other bugs?? (Score:1, Informative)

    by Anonymous Coward on Friday October 29, 2004 @06:37PM (#10668337)
    it is because of this bug:

    http://www.networksecurityarchive.org/html/FullDis closure/2004-07/msg00197.html [networksec...rchive.org]

  • Re:it IS a beta... (Score:5, Informative)

    by QuantumFTL ( 197300 ) * on Friday October 29, 2004 @06:50PM (#10668455)
    Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.

    I highly disagree. When I use a product which is in "Beta" I do not expect it to meet the same level of stability/security etc. To do so is rediculous - anyone who develops software should understand why products of this kind require an extended beta period. It's definitely the best time to make last minute changes, adjustments, and to find problems like this. Finding these problems is the whole point of it being Beta in the first place. Anyone who's using this service for anything important, and then complaining about problems they have (other than as normal beta feedback) is being unreasonable!

    From their Terms of Use [google.com]:
    you understand and agree that the Service is provided on an AS IS and AS AVAILABLE basis.
    Their terms of service are very short, and easy to understand (not like most software agreements) and use of gmail is not only FREE, but it's entirely optional. No one's making you use it. People should not have the same level of expectation for this new service as they do of the original search engine, and if they, that's their own ignorance.

    I also highly doubt that this beta period will last that much longer. GMail is becoming popular enough that the bugs and changes should be done soon.

    Cheers,
    Justin

  • Re:Isn't it... (Score:2, Informative)

    by JibberJim ( 826524 ) on Friday October 29, 2004 @07:44PM (#10668842)

    That was mine, that one has since been fixed http://jibbering.com/2004/10/google.html [jibbering.com] -I know of a couple of others though which have yet to go public.

    I agree it's googles responsibility, and some of the flaws that are th ere aren't the bugs of people who understand the issues - one of the google desktop bugs is because a search for <script>alert(1)</script> is written straight into the source of the document unencoded!

    That's not a bug of developers who know what they're doing, or have good security procedures in place. I think they need a lot of publicity so like MS can start getting a real culture of security in.

  • Re:cookies are the root of all evil: Addendum 1 (Score:3, Informative)

    by mccrew ( 62494 ) on Friday October 29, 2004 @09:00PM (#10669243)
    I've never run across that.

    You gotta get out more. :)
    Lots of companies are behind load-balanced proxy servers. To a server, requests for a particular session are coming from a small number of IP addresses of the proxies.

Slashdot Top Deals

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (5) All right, who's the wiseguy who stuck this trigraph stuff in here?

Close