Gmail Accounts Vulnerable to XSS Exploit 232
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
Other bugs?? (Score:4, Interesting)
Re:XSS isn't that big a deal (Score:5, Interesting)
Re:Isn't it... (Score:5, Interesting)
Now, I don't have a problem with that at all. Also, I do agree that in this case, Google has GMail in beta for other reasons too (maybe not even the making money off it part - AdWords has been adapted to GMail, so they might already be making money off of it).
Well this would have been.. (Score:2, Interesting)
had to tell people to revert to my old e-mail, since invariably I cannot open it.
Crossing my fingers, these issues will be solved in beta.
Re:cookies are the root of all evil (Score:4, Interesting)
No. Cookies are not the same across sites. Since each site comes up with its own cookie encoding scheme, data sharing becomes difficult (barring schemes like Passport: one reason why Passport in its original form was so creepy). Today, with fine-grained cookie managers (Moz, Opera) you can browse the web pretty privately, at least wrt cookies.
Incidentally, Real once got a lot of flak for incorporating just this feature into Realplayer, all the privacy arguments made then are true now as well.
Classic cookies are supposed to be opaque keys, but in reality people do use them for storing nonsensitive information, like stylesheet info. Your proposal would increase the hassle these people have to go through.
> but also can give the client state control if not used properly
rm if not used properly can hose your $HOME. A backup script used by a technician at your ISP used improperly can hose your Maildir. Doesn't mean rm or backup scripts are bad.
Btw, if you don't like client-side state, I suggest you get prepared for more unpleasantness: I'm predicting in 2-3 years we'll see the first browsers with more sophisticated client state management that'd allow browsers to work with websites (even app-centric websites like Gmail and Flickr) offline.
Re:Google needs to toss its cookies... (Score:2, Interesting)
Re:Need more than just the username (Score:1, Interesting)
Unless someone figures out how the cookies are generated. In which case an attacker can brute force access to any number of gmail accounts.
As long as you don't ever click on a link that sends you to GMail from an untrusted source, you should be safe.
Bwhahaha
Re:Isn't it... (Score:5, Interesting)
In that case, the exploit had been known for a long time. In the interest of protecting the not-so-savvy (read: gullible) users, publicity may get the attention needed for them to do their jobs. Giving them a reasonable chance to respond with their fix. Two years is way more than reasonable.
To play devil's advocate, I'd say that it's not your responsibility to make sure their site is secure. If they want to leave it there, they can - and publicizing it is simply going to hurt those users that you'd seek to protect. It'll end up hurting Google in the end anyway.
Personally, I prefer to do a "good deed" and help make the web a little safer for people like my wife's grandparents.
Fixed Perhaps? (Score:4, Interesting)
I wonder if they fixed it. My session was just expired and I had to login in again. (My latest two week session ended a couple days ago.)
Gmail just logged me out - a quickfix already? (Score:5, Interesting)
http://gmail.google.com/gmail?_sgh=2f3ab242adin
which I've never seen before.
I think it'll be a long Friday night at the 'Plex.
Perhaps it's time... (Score:1, Interesting)
The Microsoft argument (Score:3, Interesting)
This story talks about this vulnerability in google which allows somone to replace the google page with a simple form telling the user that google is now a subscription service and asking for their credit card details. http://www.theregister.co.uk/2004/10/21/google_des ktop_security_vuln/ [theregister.co.uk]
Is closed-source software always going to be insecure because some hacker somewhere has issues with it? I hope not - cos writing closed source software is my bread and butter.
With google's empire growing the way it is, I wonder if it is the next Microsoft? I sincerely hope not!