Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Bug Businesses Google The Internet

Gmail Accounts Vulnerable to XSS Exploit 232

Posted by michael from the ooooooops dept.
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
This discussion has been archived. No new comments can be posted.

Gmail Accounts Vulnerable to XSS Exploit More

Gmail Accounts Vulnerable to XSS Exploit

Comments Filter:

  • Other bugs?? (Score:4, Interesting)

    by Anonymous Coward on Friday October 29, 2004 @05:35PM (#10667779)
    Did anybody else notice when they were coming up with unique login names when they first set up their gmail account that oftentimes the "Blahblah@gmail.com is taken" message would often be some other email address somebody else was trying? I mean, if you tried "johndoe@gmail.com" and it was taken, sometimes it would respond with "joeschmoe1234@gmail.com is already taken, try again".

  • Re:XSS isn't that big a deal (Score:5, Interesting)

    by phasm42 ( 588479 ) on Friday October 29, 2004 @05:46PM (#10667875)
    XSS is not the real problem here. The real problem is that the cookie can be used to authenticate an account. If you get a copy of the cookie and take it to another machine, you could log on using that cookie, even after the cookie has expired. This is a poor design, and XSS is just one way to exploit this. Another would be to simply copy Mozilla's cookies.txt file, or whatever browser you use. Or to sniff out the cookie over the network and use it from then on.

  • Re:Isn't it... (Score:5, Interesting)

    by bhtooefr ( 649901 ) <[gro.rfeoothb] [ta] [rfeoothb]> on Friday October 29, 2004 @05:51PM (#10667922) Homepage Journal
    Actually, those aren't the primary reasons. A Google app can be perfectly stable, and still be in beta, because "beta" for Google means looking for a way to make money off of it.

    Now, I don't have a problem with that at all. Also, I do agree that in this case, Google has GMail in beta for other reasons too (maybe not even the making money off it part - AdWords has been adapted to GMail, so they might already be making money off of it).

  • Well this would have been.. (Score:2, Interesting)

    by Tracer_Bullet82 ( 766262 ) on Friday October 29, 2004 @06:04PM (#10668020)
    news to me, if I could access the damn accounts.

    had to tell people to revert to my old e-mail, since invariably I cannot open it.

    Crossing my fingers, these issues will be solved in beta.

  • Re:cookies are the root of all evil (Score:4, Interesting)

    by bheer ( 633842 ) <rbheer AT gmail DOT com> on Friday October 29, 2004 @06:49PM (#10668448)
    > Cookies compromise privacy in the same way,

    No. Cookies are not the same across sites. Since each site comes up with its own cookie encoding scheme, data sharing becomes difficult (barring schemes like Passport: one reason why Passport in its original form was so creepy). Today, with fine-grained cookie managers (Moz, Opera) you can browse the web pretty privately, at least wrt cookies.

    Incidentally, Real once got a lot of flak for incorporating just this feature into Realplayer, all the privacy arguments made then are true now as well.

    Classic cookies are supposed to be opaque keys, but in reality people do use them for storing nonsensitive information, like stylesheet info. Your proposal would increase the hassle these people have to go through.

    > but also can give the client state control if not used properly

    rm if not used properly can hose your $HOME. A backup script used by a technician at your ISP used improperly can hose your Maildir. Doesn't mean rm or backup scripts are bad.

    Btw, if you don't like client-side state, I suggest you get prepared for more unpleasantness: I'm predicting in 2-3 years we'll see the first browsers with more sophisticated client state management that'd allow browsers to work with websites (even app-centric websites like Gmail and Flickr) offline.

  • Re:Google needs to toss its cookies... (Score:2, Interesting)

    by widow,black ( 826516 ) on Friday October 29, 2004 @06:49PM (#10668451)
    What if I delete the cookie after I sign out? =/

  • Re:Need more than just the username (Score:1, Interesting)

    by Anonymous Coward on Friday October 29, 2004 @07:19PM (#10668665)
    it's not quite the same as the Hotmail backdoor from last year, which didn't require phishing at all

    Unless someone figures out how the cookies are generated. In which case an attacker can brute force access to any number of gmail accounts.

    As long as you don't ever click on a link that sends you to GMail from an untrusted source, you should be safe.

    Bwhahaha ... yeah, that worked out so well for IE ...

  • Re:Isn't it... (Score:5, Interesting)

    by lukewarmfusion ( 726141 ) on Friday October 29, 2004 @07:33PM (#10668768) Homepage Journal
    I did see an XSS proof-of-concept exploit (maybe yours) where the hacker imitated a Google page asking the user to pay for Google use. It was quite convincing.

    In that case, the exploit had been known for a long time. In the interest of protecting the not-so-savvy (read: gullible) users, publicity may get the attention needed for them to do their jobs. Giving them a reasonable chance to respond with their fix. Two years is way more than reasonable.

    To play devil's advocate, I'd say that it's not your responsibility to make sure their site is secure. If they want to leave it there, they can - and publicizing it is simply going to hurt those users that you'd seek to protect. It'll end up hurting Google in the end anyway.

    Personally, I prefer to do a "good deed" and help make the web a little safer for people like my wife's grandparents.

  • Fixed Perhaps? (Score:4, Interesting)

    by mla_anderson ( 578539 ) on Friday October 29, 2004 @07:39PM (#10668804) Homepage

    I wonder if they fixed it. My session was just expired and I had to login in again. (My latest two week session ended a couple days ago.)

  • Gmail just logged me out - a quickfix already? (Score:5, Interesting)

    by adnonsense ( 826530 ) on Friday October 29, 2004 @07:47PM (#10668859) Homepage Journal
    I was using the "don't ask my password for two weeks" feature - Gmail just logged me out although the two weeks aren't up, and after logging in again I had a session ID tacked on to the URL like this:

    http://gmail.google.com/gmail?_sgh=2f3ab242adinf in itum

    which I've never seen before.

    I think it'll be a long Friday night at the 'Plex.

  • Perhaps it's time... (Score:1, Interesting)

    by Anonymous Coward on Friday October 29, 2004 @07:49PM (#10668876)
    ...for Google to start hiring some computer security geeks in addition to the math geeks they've been so aggressively pursuing. Last week is was Google Toolbar that was found to be hole-ridden. This week it's gmail.

  • The Microsoft argument (Score:3, Interesting)

    by nonicenamesleft ( 826555 ) on Friday October 29, 2004 @09:55PM (#10669460)
    I know this group loves to hate Microsoft, but this story rings a bell in my head about the argument Microsoft always gives about its vulnerabilities being discovered the most cos hackers are more interested in finding them. With google having acquired a close to God status with its amazingly engineered products, those same hackers are now targetting its holes (pun intended).

    This story talks about this vulnerability in google which allows somone to replace the google page with a simple form telling the user that google is now a subscription service and asking for their credit card details. http://www.theregister.co.uk/2004/10/21/google_des ktop_security_vuln/ [theregister.co.uk]

    Is closed-source software always going to be insecure because some hacker somewhere has issues with it? I hope not - cos writing closed source software is my bread and butter.

    With google's empire growing the way it is, I wonder if it is the next Microsoft? I sincerely hope not!

Slashdot Top Deals

An authority is a person who can tell you more about something than you really care to know.

Close