Forgot your password?
typodupeerror
Bug Businesses Google The Internet

Gmail Accounts Vulnerable to XSS Exploit 232

Posted by michael
from the ooooooops dept.
mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."
This discussion has been archived. No new comments can be posted.

Gmail Accounts Vulnerable to XSS Exploit

Comments Filter:
  • Oh no! (Score:5, Funny)

    by scaaven (783465) on Friday October 29, 2004 @05:28PM (#10667702)
    My google stock. My poor google stock!
  • Isn't it... (Score:2, Insightful)

    by Sheetrock (152993)
    just a bit irresponsible to be coming out with this before Google has had a chance to fix it?
    • Re:Isn't it... (Score:5, Insightful)

      by realdpk (116490) on Friday October 29, 2004 @05:31PM (#10667732) Homepage Journal
      No. Certainly not. People should be made aware of security issues. Especially for free services like this, where people have no guarantee they will ever be addressed.
      • Re:Isn't it... (Score:4, Insightful)

        by LiquidCoooled (634315) on Friday October 29, 2004 @05:33PM (#10667760) Homepage Journal
        Its not like a local exploit where we can stop using it, or update ourselves.

        This SHOULD get maximum exposure. Maybe then the heads in google will jump on this with all their PHDs.

        As for not fixing it, I doubt thats an option. Such a monumental failure so start in their public offering will be devistating to them.
        • Re:Isn't it... (Score:2, Insightful)

          by LiquidCoooled (634315)
          I should clarify that apart from deleting all my mail and closing my account I can do nothing about it. I don't want to lose my account though, I *like* gmail, and certainly don't want to go back to the hotmail wasteground.

          (and also look sheepishly at the grammatical screwup in my previous post)
    • by moonbender (547943) <<moc.liamg> <ta> <rednebnoom>> on Friday October 29, 2004 @05:33PM (#10667755)
      I guess they weren't kidding when they said it's still in beta...
      • It will always "still" be in beta for 2 reasons. One is so they don't have any liability when things like this happen; after all they never said it was stable or secure, it's a work in progress. Two is that they're getting a lot of data to build up a social network with their invite system. With the rate at which invites are made available it is practically open now, you just need a link for their social network to join.

        Jason
        ProfQuotes [profquotes.com]
        • Re:Isn't it... (Score:5, Interesting)

          by bhtooefr (649901) <bhtooefr&bhtooefr,org> on Friday October 29, 2004 @05:51PM (#10667922) Homepage Journal
          Actually, those aren't the primary reasons. A Google app can be perfectly stable, and still be in beta, because "beta" for Google means looking for a way to make money off of it.

          Now, I don't have a problem with that at all. Also, I do agree that in this case, Google has GMail in beta for other reasons too (maybe not even the making money off it part - AdWords has been adapted to GMail, so they might already be making money off of it).
        • by downbad (793562)
          It will always "still" be in beta for 2 reasons. One is so they don't have any liability when things like this happen; after all they never said it was stable or secure, it's a work in progress.
          like every project on freshmeat and sourceforge. ;)
    • Re:Isn't it... (Score:4, Informative)

      by DaHat (247651) on Friday October 29, 2004 @05:34PM (#10667764) Homepage
      Some might agree... others would say that if that was the case, Microsoft (and others) would never fix security holes if they are not known.
      • Re:Isn't it... (Score:2, Informative)

        by a16 (783096)
        Some might agree... others would say that if that was the case, Microsoft (and others) would never fix security holes if they are not known.

        Yes - but the key is that you should give the company in question enough time to be able to get a fix out before releasing the issue to the public. I haven't been able to RTFA however unless Google have not taken any action after a reasonable timeframe (say a week) posting the issue on slashdot is not going to solve the problem any faster, and hence is just making
    • Re:Isn't it... (Score:5, Insightful)

      by lukewarmfusion (726141) on Friday October 29, 2004 @05:35PM (#10667775) Homepage Journal
      Yes and no.

      Yes - Google should have the opportunity to fix this appropriately, not racing against the slew of hackers, crackers, and script kiddies that want to exploit it.

      No - People should aware of security risks in the software, hardware, etc. that they use and upon which they rely.

      Personally, I prefer to inform the company of vulnerabilities and offer to help fix them. It's helped me land clients and discredit competitors.
    • Re:Isn't it... (Score:2, Insightful)

      by Saratoga C++ (456351)
      To be honest I think google's getting off easy.

      Just about every MS security hole that comes out has the exploit code attached. Sense google's not an "evil" company the exploit is kept secret? What is the reason that an Operating System Security Hole is given with code and a beta webmail service exploit isn't?
      IIRC: Wasn't hotmail's exploit also given with a snippit of code/instructions on how to do it? This is the same thing but with a different company.

      I'm not trying to say "release the 'sploit" but
      • Is it really that hard to understand that people like Google and will cooperate with them, and they don't like Microsoft and therefore won't expend any effort to be nice? This is basic Golden Rule stuff.
        • Re:Isn't it... (Score:2, Insightful)

          by Saratoga C++ (456351)
          Yes, yes it is and I"ll tell you why.

          In both instances your harmnig the user with these exploites (given hotmail/gmail's exploits). Also with the OS exploites. The users is harmed. Sure this indirectly harms MS but your still exposing the users of the product.

          What this amounts to IMHO is that for some reason gmail users are more precious then hotmail users or that hotmail users diserve to be hacked becuause they are users of the service. Thats shows a rather large power trip issue on the part of the
          • Nobody asked if it was okay. They asked why. It'd be a nice world if everyone was treated fairly and evenly but I think it's pretty safe to say to the sort of person who writes and uses exploits, yes, hotmail users are less precious than gmail users.

            It's not a power trip per se (I suppose it is in some cases), but a disdain for (for example) hotmail and microsoft and the users thereof. You find much the same sort of attitude toward AOL. In the case of Hotmail/Microsoft it's increased by Microsofts (percie

      • There is a difference. Google so far hasn't earned the reputation of Microsoft. A reputation of ignoring known security holes and sitting on them until the shit hits the fan and then taking ages to fix anything.

        Code exploits released with MS warnings are just way to get MS to move its lazy fat ass. Talk to the people that have tried to warn MS in the past before going public. After trying for months and months knowing that if the "whitehat" hacker knew then a "blackhat" hacker might also have found out wit

  • by LostCluster (625375) * on Friday October 29, 2004 @05:29PM (#10667713)
    The articles reveal that the basic design of the bug is to snatch the victim's cookie, and then the hacker can use that cookie to get into the account forever more. That cookie will always lead to the victim's account no matter what... even if they log out, even if they change their password, the cookie will still be valid authentication.

    The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.

    It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.
    • by ArbitraryConstant (763964) on Friday October 29, 2004 @05:31PM (#10667733) Homepage
      I don't believe they use a forever cookie, they use a cookie that's invalidated after you log out OR (optionally) a 2 week cookie.

      What I don't like about it is that it doesn't use SSL after you log in.
      • by LostCluster (625375) * on Friday October 29, 2004 @05:34PM (#10667767)
        The cookie file gets invalidated... but the problem is if you log back in, instead of getting a new value in your new cookie, apparently you get the same old value again. And worse yet, even if you don't log in again, bringing back that old cookie from the dead is all that's needed to log in.

        It's not the experation date on the cookie that's the problem, it's the fact that their database still assocates "your cookie" with your account even if there's no authorized cookie in circulation.
      • by kinema (630983) on Friday October 29, 2004 @05:45PM (#10667864)
        What I don't like about it is that it doesn't use SSL after you log in.
        Actaully if you enter "https://gmail.google.com/gmail" in the location bar of your favorite browser you will continue to use a SSL secured connetion after for the duration of your session.
      • It doesn't automatically use SSL, but if you use https://gmail.google.com , you still get it.
      • What I don't like about it is that it doesn't use SSL after you log in.

        ...which is important, because I want to read my mail over an encrypted link even though it travelled through several ISPs' data centers, many networks, a backbone or two, and probably even the FBI's scanners, IN THE CLEAR!!!

        • My immediate concern is the fskers who live in my apartment complex. We use a shared internet connection (300 of us on a dual T-1, ouch) for the entire complex. Now, I can't be the only person who knows that an un-administered network (no kidding) will be rife with people screwing around.

          I know that my email travels through routers and ISPs in the clear, but they probably don't know me personally. I'm more worried about my roommates sniffing the traffic coming from my computer to the gateway and reading
    • One safe way to use cookies in a situation like this is to use a 3-way hash token. Take 3 elements: a random string (generated by google), the user's password, and a secret key stored in the google API. Whenever you log in, google takes these 3 elements, hashes them all together, and sets a cookie containing the random string and the hash. Whenever the user re-visit gmail, google re-does the procedure using the same random string, the user's password, and the server's secret key. If the hash matches, th
  • Oh my god! (Score:5, Funny)

    by Zangief (461457) on Friday October 29, 2004 @05:29PM (#10667715) Homepage Journal
    Maybe some hacker will make a program to break into every gmail account, read their mail, and send them ads about what people are talking about in mails!!!
  • Cross site scripting should not be considered a vulnerability.
    • by Sheetrock (152993) on Friday October 29, 2004 @05:38PM (#10667805) Homepage Journal
      Well, the problem is that we're looking at each individual XSS exploit as a vulnerability when we should be looking at XSS itself as an unwholesome feature in general.

      Like when we started treating e-mail as a file transfer protocol, or when documents began to contain executable content, XSS gives an avenue of attack by adding a new and unrequested behavior to something that used to be secure. We need to reduce these channels of exploitation if computers are going to become secure -- especially as we head towards a homogenized environment on the Internet with regards to executable code (.NET/Java).

      • by phasm42 (588479) on Friday October 29, 2004 @05:46PM (#10667875)
        XSS is not the real problem here. The real problem is that the cookie can be used to authenticate an account. If you get a copy of the cookie and take it to another machine, you could log on using that cookie, even after the cookie has expired. This is a poor design, and XSS is just one way to exploit this. Another would be to simply copy Mozilla's cookies.txt file, or whatever browser you use. Or to sniff out the cookie over the network and use it from then on.
        • XSS was highlighted because that's easiest way to steal the cookie without physical access to the machine which the victim uses.(correct me if i'm wrong).XSS makes it extremely easy for an attcker to social engineer a user into divulging his cookie, using a malformed hyper link in a mail. Though GMail was initially limited to computer savvy people it has now percolated to the masses.As the spread of recent viruses have shown social engineering normal users is trivial.
      • XSS is never a feature and always an unintentional security hole. The "feature" in the design of the Web that makes XSS possible is the ability for a site to link to another site.

        Your other examples are wrong, too.
  • by yahyamf (751776) * on Friday October 29, 2004 @05:32PM (#10667744)
    I waited so long to get a Gmail account, I don't care if it sucks now... I also like Doom3...
  • So isn't the real issue that there are bugs that allow your cookie file to be exposed? Shouldn't those be considered critical security bugs regardless of what Google does?
    • It ain't nice that your cookie can be taken but that is the way it is. Google knows this and should protect against this. Just as it isn't nice that you can get into an accident but your car should still be designed to protect you against this.

      Yes in an ideal world all browsers would be 100% safe but they are not. Cookies being stolen is sadly it seems a problem that can't be fixed. So GUARD against it. Google should know better. There are a lot of tricks you can use to make certain that a cookie is indeed

  • The first person to fix the exploit will get a FREE GMAIL INVITE!
  • Other bugs?? (Score:4, Interesting)

    by Anonymous Coward on Friday October 29, 2004 @05:35PM (#10667779)
    Did anybody else notice when they were coming up with unique login names when they first set up their gmail account that oftentimes the "Blahblah@gmail.com is taken" message would often be some other email address somebody else was trying? I mean, if you tried "johndoe@gmail.com" and it was taken, sometimes it would respond with "joeschmoe1234@gmail.com is already taken, try again".
  • by whovian (107062) on Friday October 29, 2004 @05:37PM (#10667793)
    Never heard of XSS until now (like me)? Here is one summary one summary [cgisecurity.com] of what the cookie theft looks like.
  • The Nana article says that it works by stealing your cookies, so I don't think the problem should last longer than two weeks, since that's how long the Gmail cookies are supposed to be good for.

    I've been using the Gmail account for stuff I could afford to lose, since there doesn't seem to be any way to shift it in bulk to my home computer. Now I'm really glad I didn't use it for anything important.

  • by Dominic_Mazzoni (125164) on Friday October 29, 2004 @05:40PM (#10667818) Homepage
    I may be misinterpreting the story, but it sounds to me like you need more than just the username: you need to actually trick the user into giving you their GMail cookie by phishing. Obviously, this is a huge security hole and Google should fix it immediately, but it's not quite the same as the Hotmail backdoor from last year, which didn't require phishing at all. As long as you don't ever click on a link that sends you to GMail from an untrusted source, you should be safe.
  • by bill_kress (99356) on Friday October 29, 2004 @05:44PM (#10667856)
    They caught this problem in beta, just as should be done! Bravo!

    Brings some true professionalisim to an industry where companies actually ship/sell products with bugs like this all the time.
  • Easy Fix: (Score:5, Insightful)

    by thesandtiger (819476) on Friday October 29, 2004 @05:50PM (#10667915)

    1) Gmail plugs the hole.

    2) They change the cookie validation test script in this case to require a different cookie than ones that were being given while the exploit was active.

    3) When a counterfeit cookie (or any of the old cookies) tries to validate it's immediately seen as invalid, and the user is then made to login.

    Of course, if someone already got at your stuff, well, that's bad.

  • Wives (Score:5, Funny)

    by mekanizer (823259) on Friday October 29, 2004 @05:55PM (#10667954)
    Time to read our wives e-mail to see if they are cheating or something.
  • news to me, if I could access the damn accounts.

    had to tell people to revert to my old e-mail, since invariably I cannot open it.

    Crossing my fingers, these issues will be solved in beta.
  • by NotoriousQ (457789) on Friday October 29, 2004 @06:06PM (#10668039) Homepage
    No worries! Remember it is still a beta. It is not like anyone will use this for a serious purpose.
    • Parent should have probably been marked funny rather than insightful... sheesh.

      The thousands of people using Gmail don't care that it has a little tiny word "beta" at the top. They've got mail in there that probably shouldn't be seen by other people. (Personal communications, private chats, possibly much more.)

      It IS a real problem for anyone who doesn't want their email being read by others.
  • by elmegil (12001) on Friday October 29, 2004 @06:21PM (#10668183) Homepage Journal
    "Because Gmail offers a gigabyte of storage, several times bigger than most other web based mail services, users hardly delete any old correspondence", says Goldshlagger. "The result is a huge amount of mail accumulating in the users' boxes, which frequently include bank notices, passwords, private documents and other files the user wanted to backup. Who ever takes a hold of this data, could literally take over the victim's life and identity".

    If you've got ALL THAT INFORMATION already migrated to a BETA service that's been around for ... a handful of months, you're pretty foolish. As far as it goes, I specifically DON'T have anything particularly importang going to my gmail account for exactly this reason--it's unproven as of yet. In fact, I had a two week outage, totally unable to use my gmail box, for uknown reasons. After working with the GMail team, it got fixed, but they never told me the actual cause. Yet another reason not to trust BETA software/services with really crucial information.

    And before all the 'bots claim I'm bashing google, quite the contrary. I love GMail. But it's like any other BETA product right now--still working out the kinks.

  • Fixed Perhaps? (Score:4, Interesting)

    by mla_anderson (578539) on Friday October 29, 2004 @07:39PM (#10668804) Homepage

    I wonder if they fixed it. My session was just expired and I had to login in again. (My latest two week session ended a couple days ago.)

  • by adnonsense (826530) on Friday October 29, 2004 @07:47PM (#10668859) Homepage Journal
    I was using the "don't ask my password for two weeks" feature - Gmail just logged me out although the two weeks aren't up, and after logging in again I had a session ID tacked on to the URL like this:

    http://gmail.google.com/gmail?_sgh=2f3ab242adinf in itum

    which I've never seen before.

    I think it'll be a long Friday night at the 'Plex.
  • by nonicenamesleft (826555) on Friday October 29, 2004 @09:55PM (#10669460)
    I know this group loves to hate Microsoft, but this story rings a bell in my head about the argument Microsoft always gives about its vulnerabilities being discovered the most cos hackers are more interested in finding them. With google having acquired a close to God status with its amazingly engineered products, those same hackers are now targetting its holes (pun intended).

    This story talks about this vulnerability in google which allows somone to replace the google page with a simple form telling the user that google is now a subscription service and asking for their credit card details. http://www.theregister.co.uk/2004/10/21/google_des ktop_security_vuln/ [theregister.co.uk]

    Is closed-source software always going to be insecure because some hacker somewhere has issues with it? I hope not - cos writing closed source software is my bread and butter.

    With google's empire growing the way it is, I wonder if it is the next Microsoft? I sincerely hope not!

    • As the reporter of the first bug reported in the register article, I certainly didn't go looking for it because of google, it was trivial to find, I found it 2 1/2 years ago (you can see a usenet post from 2002 which describes it, when XSS into google didn't matter much, phishing was new, and google had no data)

      The reason we're getting this deluge of security flaws in google now is simply because people are now looking, they're easy to find, the XSS flaws are trivial (like ignoring you're encode user input
  • Could you guys at least have the courtesy of deleting all of those ads for mortgage applications? I'm sick of doing it myself.

"It's like deja vu all over again." -- Yogi Berra

Working...