Gmail Vulnerability May Expose User Information

An anonymous reader writes "A cross-site scripting vulnerability may mean bad news for Gmail users. The ethical hacking group GNUCitizen has developed a proof-of-concept program that deftly steals contact information and emails from the popular web-based mail service. At the moment there are no 'wild' exploits for this vulnerability. The article discusses how lax security makes holes like this a problem for corporate IT houses as well as Google. '"People do use private accounts to store work information," IBRS security analyst James Turner said. "I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal. "In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included."'" This, just a few days after a search-based exploit was discovered.

Encrypt it

[aedan]

With ROT 26

Re:

[smittyoneeach]

No, on the grounds of excessive CPU overhead.
A simpler approach would be to have the UN put out a resolution asking everyone to be nice.
Oh, and another resolution asking people not to send spam, pretty please, would also be helpful.

Re:

[dascritch]

Bush's Administration will make a special law to be exempted in the name of National Security.

Actually, I do encrypt my Gmail

[5plicer]

Whenever I want to store something securely on Gmail (e.g. a text file containing a list of passwords), I encrypt it with 256-bit AES, then include it as an attachment in an email to myself.

Online apps

[Romancer]

So who didn't see this thing comming?

Online apps are only going to get more and more popular. Webmail is like the gateway drug of internet apps. It starts off innocently enough. Going from an in house email system that is only intranet. Then you need to give employees the ability to send outside email, no problem, but your servers can still filter out attachments both ways and give the company a security and intellectual property barrier. Then the online apps start looking appealing, no maintenance, no servers, just internet access. A lot of cost savings for the company. What could go wrong? Then Microsoft and the other big players start talking about making Office an online application and hyping the benifits of such a new age system. The benifits are described in beautiful powerpoint presentations to the execs and the IT departments warnings are just plain text. What's going to happen to the companies that fall for this new online paradigm? I think more of the same. Information leaks, database vulnerabilities, simple password guessing, general hacks, etc. And all the information accessed through these new online applications is going to be out there for the taking. Ease of use and availability on a new level, to the hackers.

Re:Online apps

[betterunixthanunix]

Another problem is the users themselves. People like the convenience of a web interface, and don't want to be tied to one computer using an email client. I try to get people to encrypt confidential emails, but as soon as I say, "So you need to set up Thunderbird..." I am met with skepticism. One friend of mine was worried that someone might be reading her emails (because she had used a predictable password); I set up Thunderbird with GPG for her, but within a few weeks she was back to the web interface.

When it comes to convenience vs. privacy or security, people will choose convenience.

Re:

[Cardcaptor_RLH85]

Interesting that you mention that here. There is a Firefox extension called FireGPG mentioned here on slashdot [slashdot.org] once before. It allows you to sign and/or encrypt e-mails using the Gmail web interface. If you want both the convenience of a web interface and the safety of GPG encryption that's the way to go ^_^

Re:

[betterunixthanunix]

Yes, although that program is very limited: it only works with Gmail, and it is only a Firefox extension. My mail client works with most mail servers, except for the "free" ones (but I get email accounts from my ISP and University, and I had an email account from my former employer. And I could potentially run my own mail server, and Gmail supports POP3 (but sadly, not IMAP)). And there are many other advantages to mail clients, including increased security, secondary antispam filters, integration with

Re:

[ancalikorn_pk073892]

Most of the problem of hacking or cracking the message(email) is caused from the user itself. The user always used the dictionary words as their password. For the cracker, it takes less than a second to hack/crack into the email. so to prevent it, i suggest that all the user used the combination of characters,string,numbers to setup the password. Even though its not 100% to prevent from the hacker but it will make them take long time to hack it. Further, using a digital signature also a good method for us t

How about a web hoster?

[jbn-o]

Many web hosters offer accounts that also come with IM, email, and various web-based programs to do other things. Often these accounts cost very little money and give you gigabytes more space than GMail (and that space can be used for more than just email without resorting to clever hacks to make your email space usable in other ways). Look at who's hosting some of the sites people point to on /. and you'll get some good leads.

Of course

[teknopurge]

People wonder why I recommend getting a private email account. Sure we could have the same issues, but the core webmail software we use is almost a decade old, and I gather that it has had more users then GMail currently has.

In short: ditch the free and go with a service provider that provides service. GMail is ok for your Grandpa, but do you really want those million-dollar business contracts and project bids on it?

Re:

[ShatteredArm]

Google does offer services to large organizations whereby they can use gmail and still use their own domain. Just a few years ago, my university ditched its in-house email servers in a "partnership" with gmail, and gmail became the mail service for the entire university. They said it would save all kinds of money on maintenance, and they were probably right.

So I guess my point is, even if they have the professional-looking email, it doesn't mean they're not using gmail. ;)

Re:

[generica1]

To use GMail for your business on the cheap, just set up an email forwarder for your domain name for your business that sends to your Gmail account, and then add the address for that forwarder in your GMail preferences as an alternative address. You will be able to send/receive to and from your forwarder address using GMail afterwards.

Just sayin'.. it is likely that a lot of businesses and/or organizations may be using a method like this to make use of GMail specifically because they have, by far, one of t

Re:

[gd2shoe]

"but do you really want those million-dollar business contracts and project bids on it?"

To think, people actually do this across any email... **shudder**

Seriously, all potentially sensitive business should be conducted in person (perhaps by a representative). Anybody not smart enough to realize this should not be running a "million-dollar business".

(Yes, I _realize_ that it happens.)

That is inane.

[jotaeleemeese]

If you are not encrypting your email you are as exposed as your grandpa, so your recommendation is based in wishful thinking and not in actual hard technical facts.

email is not a secure mechanism to transmit information, unless it is encrypted. End of the history.

And as in regard to all those valuable contracts and what have you, I would like to inform you that email is not a guaranteed delivery mechanism, it works in a "best effort" to deliver basis. So I will not be sending any urgent information by email

Close sites off by default

[Enlarged to Show Tex]

We talk about shutting down any unnecessary services and closing ports down by default in operating systems and firewalls. Why wouldn't one want to do the same with Web browsing? Lock down (or lock out) anything that can cause harm to corporate systems, and then open up things only as required. Not only does it improve productivity, it also improves security at the same time...

because

[everphilski]

Because some of us don't spend the $5-$10 to go out to lunch ( I pack a lunch, saves money, healthier, etc), and prefer to spend our lunch hour checking the news online? Sure, during business hours while working that makes sense, maybe, but during my breaks and lunch (both of which I'm free to take when I want) I like to go online and do stuff. So that becomes problematic. Honestly the solution is education. Having good enough resources on the local network so that your users don't have to use gmail or a ftp site is key, and making sure they know how to use them.

You can say tough shit, and I'd agree, employer has that right. But then I'd counter by saying I'd probably be keeping an eye open for a new employer :)

Then go online in your own computer.

[jotaeleemeese]

The sense of entitlement that some people show around here is staggering.

You may want to go online on your office computer. Well I am even pickier, I want blonde masseuses at my disposal for my lunch break, as well as the massages provided in rooms with plasma TVs and free drinks.

The sky is the limit to what employees think they should be entitled to do with company's resources....

Re:

[dm0527]

Regardless of whether or not an employee feels "entitled" to these types of "perks", things like casual Internet access and access to personal email are quickly becoming ubiquitous. If an employer doesn't offer these types of "perks" soon, they'll be looking to SOS for temps to fill the spots of employees who have gone elsewhere. Comparing email access to having personal masseuses is a little bit of a stretch too - I have worked at several jobs where IM/Email was my only contact with my family because I w

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[everphilski]

The sense of entitlement that some people show around here is staggering.

Dude. Did you even read my post? I said,

"You can say tough shit, and I'd agree, employer has that right."

It is their resource. However, education tends to work better than locking people away from useful resources (I'm an engineer ... the internet is a great resource for work, I'd be very less productive without it). And its a nice perk.

Well I am even pickier, I want blonde masseuses at my disposal for my lunch break, as well

Re:

[Torvaun]

If I might ask, which ISP in Wisconsin? I'm currently looking to exit from the hole of misery that provides my paycheck, and an ISP sounds fairly decent.

Re:

[everphilski]

NetwurX out in Hartford. I worked there from 1997-2000 until I left for college in (insert expletive here) alabama :P I was so homesick for the Midwest for the longest time. Cheese, bratwurst and the Packers, man no on down here understands :) Wife and I still talk about moving back from time to tiem but I can't get a job in my line of work.

But it is all good ...

Re:

[Torvaun]

I'm confused as to why someone would travel to Alabama for college. Especially from Wisconsin. No offense, but when I think Alabama, inbreeding comes to mind way before education. Of course, a Wisconsinite wouldn't be part of that.

Re:

[everphilski]

Univerisity of Alabama - Huntsville [uah.edu] in Huntsville, AL [wikipedia.org]; the birthplace of our space program and home to Redstone Arsenal / Marshall Space Flight Center (where I now work). I wanted to go to school for Aerospace Engineering. Once you start looking for the 'good schools', you really narrow down to just a couple, and this honestly is one of them. Purdue is another good one but huge, Embry-Riddle is good but they tend to focus more on flight and I liked space more. They offered me the best scholarship (I applied

Re:

[Torvaun]

Fair enough. I didn't think of Huntsville. You mentioned working in an ISP, so I made the leap to going to college for a more directly computer related degree. I was imagining a school is Cambridge, or possibly one of the California schools. Wisconsin has some good schools for that too, of course.

Re:

[everphilski]

Yeah, had I stuck with CS or gone more of a mechanical engineering I'd have gone UW-Madison ... I have a few friends who went through the UW system, one at MATC, but although UW has a mechanical engineering department they don't get into the aerospace-y stuff. I love computers but I see them more as a means to an end than the end themselves. I have the best of both worlds nowadays, I write computer simulations in c++/FORTRAN (ugh), so I get to do both.

so where exactly are you in the great state of cheese

Re:

[Torvaun]

Stevens Point, about as close to the center of the state as you can get. Due to my general slacking during high school, the UW system was unconvinced that I should be a student. I got a degree in Computer Electronics from Mid-State Tech, and am currently working on getting a startup going. The sooner, the better, or I may end up killing some of my current coworkers.

Re:

[everphilski]

good luck! NetwurX was a startup when I joined (about 6 months fresh, we worked out of the owners' basement) ... its fun but a lot of work.

Re:

[TemporalBeing]

We talk about shutting down any unnecessary services and closing ports down by default in operating systems and firewalls. Why wouldn't one want to do the same with Web browsing? Lock down (or lock out) anything that can cause harm to corporate systems, and then open up things only as required. Not only does it improve productivity, it also improves security at the same time...

And then you can also kill productivity by (a) not allowing people to communicate in the ways their job requires, or (b) not allow

Ideal situation?

[oahazmatt]

People do use private accounts to store work information

And companies with information that is valuable to other companies should enforce regulations opposing this.

I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal.

It's less than optimal to fix the mail server?

In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point.

Really? My company does that. My training materials aren't allowed to leave the building.

The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included

If they share corporate information through Facebook, do you need that employee?

Re:

[hesaigo999ca]

Actually, I had to relate to a user lately that had a problem with a self imposed limit the company placed on her email account, 3mb... for attachments, however a pdf containing info that needed to get to a client of hers was neccessary to get out asap for a shipment in waiting. Hence i suggested that she send it to her hotmail account from her hotmail account then forward it through to who ever she wanted, from there she was able to get the sipment through.

I did not think anything of it at the time, but fe

Re:

[oahazmatt]

My comment wasn't to necessarily single out anyone as the "bad guy".

My company as a limit on e-mail stored on the Exchange server, between 50-200 Mb depending on your position within the company. Our solution to that is to use PST files if you need to exceed your given amount.

The fact is, if the company has data that can be compromised by introducing it through outside services, after the situation has been evaluated and it has bee decided that making changes to the network is not ideal, policy should be in

Re:

[hesaigo999ca]

Don't take what i said to heart, I know I am not really the bad guy in this, but based on the company's policy where I was working at, their regulations would have meant I am a bad guy for trying to bypass email limitations by using hotmail etc...

No offense taken either, you can flamebait me or troll me all you want on slashdot, seems
tempers too hot and feelings are too sensitive here...we are all expressing our point of views!

    : )

alarming but who cares

[akasch]

well that sucks - gmail is the best free email service by far, offering real forwarding and POP/SMTP access, you can use it for anything come to think of it all my info is fake on my gmail accounts so who cares

Re:

[devon.cassidy]

GMail is also doing yourdomain.com hosting. An organization I belong to has been using it for a year or so and it's great. Everybody gets a GMail account that they can use on the road and they can use it with Outlook in the office. Works beautifully, but if Google doesn't fix problems like this I can imagine few companies would want to use it.

The webmail conundrum...

[Spy der Mann]

I think the optimal solution would be a client which does not run scripts *AT ALL*. i.e. to read your mail, you need to d/l this software. But that defeats the purpose of having WEB mail accounts, doesn't it?

That's the conundrum.

Perhaps a solution would be to alter the HTML spec, in that you could include a specific file (a-la XMLHTTPRequest) and render it as html, but disabling all scripting inside that piece of html.

Or can it be done with existing technologies?

Re:

[betterunixthanunix]

"Or can it be done with existing technologies?"

Yes: Don't use Javascript to send HTTP requests. Just like we had to tell everyone not to use SSI's because of vulnerabilities created by those, we should stop using Javascript to send HTTP requests. If you can demonstrate a real need for a web page that sends HTTP requests in the background, I can demonstrate a real applet that does the job with fewer security risks. There were webmail interfaces a long time before XMLHTTPRequest was invented, and they w

Always GMail

[bostons1337]

Why is it that we always see these exploits with GMail? I can't even remember the last time a Yahoo Mail or Hotmail, etc. exploit came out. There about equally popular among the public.

Astroturfers aren't motivated

[Xtifr]

Spreading FUD about Google is something that MS is highly motivated to do. Spreading FUD about Yahoo! or MS's own Hotmail system is not.

That said, I'm not sure you're correct. I seem to recall a Yahoo! Mail exploit being publicized fairly recently. As for Hotmail, I'm not sure, but I suspect that it's a generic enough system that any exploits found are interesting as generic exploits more than as Hotmail-specific.

Yet another "we hate Gmail article"?

[SplatMan_DK]

With all respect, why continue this crusade against Google/Gmail?

Sure, they are a key player in the market, but so is Yahoo, Hotmail, and a number of others.

From a technical perspective, cross-site scripting (XSS) vulnerabilities isn't exactly a new thing. Nor are they isolated to Gmail.

The article is not wrong - so I am not attempting to protect Google. On the other hand, this problem is fairly general in nature, and probably applicable to a ton of websites. In fact, the "cookie grabbing technique" is one of the oldest tricks in the areas of XSS.

With this in mind, the article (and in general the constant rampage against Google) seems ... a tiny bit one-sided. Not only is that unfair for Google (I am not a stockholder, so I will survive) but it also takes away the focus from the real issue: XSS is a big deal, and has do be dealt with. By everybody ... not just by Google.

:-)

- Jesper

Re:

[El Lobo]

Why focuse on GMail? Well, for the same reasson hacers and all focuse on Windows: because it's populariy. If GMail keeps on gaining popularity you will see more on this. I mean, why try to hack ObscureMail if you can get access to MILLIONS of accounts hacking GMail? Why hack some ObscureLinuzzz or MakOZ if you can get access to milliard of computesr with one Windows exploit? The best security IS obscurity (and impopularity, may I add) no matter what some people say.

Re:Yet another "we hate Gmail article"?

[SplatMan_DK]

why try to hack ObscureMail if you can get access to MILLIONS of accounts hacking GMail?

You don't think sites such as Amazon, Hotmail, Yahoo Groups, e-Bay, LinkedIn, Facebook, MySpace, YouTube, etc. would provide access to just as many accounts?

In fact, the total nightmare-scenario for the end-users (and the total wet-dream for XSS hackers) would be to gain access to an ad-server. Imagine the XSS hacks you could do if you managed to compromise a DoubleClick server? Millions of users could be targeted, across thousands of sites where your compromised ad-server would even be white-listed for all sorts of crap? In that case, the popularity of the sites themselves would be of no consequence. As long as it displayed ads from your compromised server.

Hmmm... come to think of it, that is a pretty clever idea. I just might wanna take a look at the scripting used in streaming video ads ...

;-)

- Jesper

Re:

[El Lobo]

Yes, that's precisely my point: E-bay was hacked last week, Amazon has been hacked many times. HotMail has been DOSed several times, and Yahoo too. GMail is now pretty popular, so expect more of this to come.

Re:

[SplatMan_DK]

Politely: e-bay was not hacked last week. It turned out to be a hoax. :-)

httponly

[Spy der Mann]

In fact, the "cookie grabbing technique" is one of the oldest tricks in the areas of XSS.

... and this is the reason why the "httponly" cookie extension [microsoft.com] was created. Firefox 3 will support it [securiteam.com], and I already modified my PHP framework to use this for the session cookies.

Re:

[Monkier]

"httponly" is very interesting - didn't know about that. how often do you want to play with your session cookie in script? i've definitely never needed to!

tho this isn't actually about cookies, from the actual article [gnucitizen.org] - it's google allowing a form submitted from an 'evil' website to set-up a 'forwarding rule'. they call it a "Cross-site request forgery".

Re:

[mattgreen]

I'm not sure where you're seeing Google/Gmail hate in the article. I see criticism of GMail, but that comes with the territory. Many regard them as the top webmail provider in terms of quality, so they should be held to a higher level of scrutiny as a result.

Security vulnerabilities in web-based services as common as email are extremely dangerous and do not deserve to be glossed over just because they are using old tricks. If they really are as common you imply, then I'm quite disappointed in GMail for not

Re:

[SplatMan_DK]

I think we both generally feel the same about these issues.

My point is, that by constantly picking on GMail, the world will translate this into a "GMail problem". Only it isn't. It is just as big a problem for Amazon, e-bay, Hotmail, Yahoo, LinkedIn, .... and any other website.

I am not out to protect Google. If they screwed up, they deserve a little spanking. But it is important that we don't think of this as a "GMail problem", and ignore the threat for all non-Google websites.

Agree?

- Jesper

Re:

[mattgreen]

Certainly. XSS is the web's buffer overflow vulnerability - extremely common, yet I don't see a whole lot of people that are really scared enough to learn how to mitigate it. Old habits die hard, I suppose.

Re:

[Niten]

From a technical perspective, cross-site scripting (XSS) vulnerabilities isn't exactly a new thing. Nor are they isolated to Gmail.

From what I gather about this exploit (and contrary to what the CNET article has to say about it) this is actually a cross-site reference forgery (CSRF) attack rather than XSS. The attack takes advantage of the fact that a malicious Web site's clients may have persistent GMail cookies in their web browsers: The attacking site directs the victim's web browser, (possibly, but not necessarily) using JavaScript, to make a POST request to GMail which creates a mail filter to copy all messages to an email addr

Javascript needs a sandbox/security model

[MobyDisk]

I can open HTML email in a standalone application (Thunderbird, Eudora, whatever) with very little concern about someone getting my login information. That's because there is an implicit barrier between the application state and the HTML page. But it is more difficult with web-based email: If you display HTML messages, then they are being displayed on the same page that has access to your login credentials.

It seems to me that the most foolproof solution is to display the HTML email inside a sandbox that does not have access to the cookies (or any other part) of the enclosing page. There may be some way(s) to do this with browsers as they are today, but it seems like ultimately, such a sandbox should be designed-in to HTML and/or Javascript. Something like a chroot command.

This would eliminate the constant cat & mouse game of scrubbing the HTML for something dangerous, then a new HTML/browser feature being used to get around it, etc.

Re:Javascript needs a sandbox/security model

[Bluesman]

Javascript does have a sandbox security model based on the domain name of the javsacript/html source.

Displaying the html mail in its own internal frame that pulls from a different domain name than the rest of the application should solve the problem you're referring to. Something like mail.googlecontent.com would work nicely.

Re:

[betterunixthanunix]

Hmm...it would be like...writing a small piece of code, that had some sort of SecurityManager object, and had to get user approval to do anything other than display data and communicate with the web server it came from...

You seeing the point? We already have technologies that do all that, but because the first attempt was bad, people just lost interest and moved on. What we should have done was improve applets, not go and copy XMLHTTPRequest from Microsoft.

Re:

[nwbvt]

From what I can tell (this article isn't very good, the fact that they think that only in an ideal world would employers prohibit employees from putting confidential information on facebook worries me greatly), this is a type 1 XSS vulnerability, meaning it is not caused by javascript in the email itself being executed. Rather it would probably involve a request parameter which could include html being written directly to the page. This can cause problems if a user is tricked into clicking a link that emb

Insecure by Default

[Anonymous Coward]

Ummm - isn't this what /. always says about Microsoft?

Trusting Google with you data is like playing Russian Roulette with an Automatic pistol, bad things will happen to your data

Google says it is so easy to keep all your information online - and it is - where they can search it

Google is the new Microsoft, more interested in profit than anything else (security, privacy, user rights)

But hey, they use Linux, so I guess it is ok

Re:

[quintessentialk]

What is wrong with a company being interested in profits? If, as you say, they are ignoring 'user rights' -- an illusory concept if ever there was one -- then the market will correct the problem and some other company will make those profits. It sounds like your frustration is more with the economic system than the products and services...

Re:Insecure by Default

[pushing-robot]

Google is the new Microsoft, more interested in profit than anything else (security, privacy, user rights)

This is a XSS browser exploit, which basically means that one site you're visiting can talk to other sites you're logged into. It's not Google's fault; nothing is breaking in to their servers, it's just malicious code running on your computer hijacking the connection you made to Google. It's your browser's fault for not sandboxing sites properly.

Or to use an real-world analogy, it's like blaming Google because you forgot to log out at an internet cafe and then somebody else sat down and read your email.

Re:

[Beryllium Sphere(tm)]

It's a CSRF, not XSS: XSS would mean a bug in Google's code, CSRF simply means they didn't take the additional security measure of putting a nonce into the form.

Another reason to use NoScript

[GroundBounce]

If this is really a cross-site scripting vulnerability, NoScript [noscript.net] might help protect against it (if you're using FireFox).

Re:

[IonOtter]

I'll second and confirm this.

I've had NoScript on my machine for almost a year now, and it's been getting better and better every month, especially now that they've included NoXSS. I've seen the XSS warning mostly on "news" sites, such as FoxNews, CNN and various big-name newspapers, and every time I saw it, NoScript had nixed it.

I've seen the XSS warning in Gmail three times in all, always when clicking on a spam email, and each time it was stopped cold. I didn't dig too deep into it, but not long afterw

A good reason to use NoScript and Firefox

[Lazarus_Bitmap]

NoScript should prevent this exploit. It can be annoying to have to constantly give permission to sites to allow scripting, but it beats being hacked.

I'm also wondering if running Gmail over SSL would make any difference...

Avoidable?

[Urban Garlic]

TFA (Yes, I'm new here...) says that it takes over the cookie to allow the attacker access to the GMail box for two years.

But what if you tell both the browser and GMail not to remember your password? I make that a policy with most web sites I use, mostly to protect me if someone steals my laptop -- no password bypass mechanisms allowed, no passwords stored in clear text allowed.

Does that make you safe against this attack also?

Re:

[PlusFiveTroll]

No. The cookies are stolen upon transfer. You need to transfer your login data and save a cookie to receive the subsequent responses (viewing more then one message).

Webamil for insecure, POP for secure

[pembo13]

Luckily for me, I only use GMails webmail interface for my mailing lists, which any and all attackers are free to have. My personal account comes via encrypted POP. Thanks to Gmail for that option.

Because gmail is better

[quintessentialk]

I'll second the comment that this shouldn't suprise anyone. Where I work there are laws which require proper security, but in most other places I've been gmail was used widely. This is because 1. Gmail was more reliable than the 'official' email system 2. The search feature in gmail was way faster and smarter than the 'official' email system (e.g. outlook; squirrelmail) 3. The 'keep everything/multiple tags' model of gmail was less onerous than the maintenance the company expected (e.g.: keep your mailbox under a certain size; manually roate things to local storage; sort things by some directory system you'll probably be confused by when you look at it a year later...) What I'd like to see is more people using those intranet-sized google search and email servers I hear about. I hate my company's crappy intranet search engine, and the only thing good about outlook is its meeting-scheduling system. Using google technology, but on a company-controlled server, would seem the best of both worlds. But... I'm not an IT person. Maybe this would be horrible.

Re:

[nwbvt]

Any company which doesn't have a policy requiring secure email for things like company confidential information is very troubling. And while I could be wrong, I believe any publicly traded company is going to have to be required to go through at least some security.

On a different subject, regarding intranet searches, moving to Google wouldn't necessarily bring that much of a difference. I am not familiar with their intranet search capabilities, but searching a small, private network is very different f

Re:

[quintessentialk]

That's a good point. There wouldn't be much cross linking. It just seems like there must be something better than most of the intranet/site-local search engines I've seen. Even if 'pagerank' won't work in the usual sense, one could still do some of the word clustering google does, and reduce the need to 'guess the right search terms and spell them perfectly.' Our current system feels like one of those early computer-based library catalogs (you know, back when they were slower and less efficient than physica

Anyone not using PGP?

[Opportunist]

Anyone not using and requiring at the very least PGP for their GMail box? Or getting "private" mails to it (or sending from it)?

When you look at my GMail boxes, you'd probably get a very strange picture of me...

Generation X, not Y

[Burz]

The leading edge of generation Y are just starting to graduate from college. The demographic the summary refers to is probably the last half of Gen-X (the youngest of which are in their mid-20s). If anything, it is the Gen-Xers that have a more naive/trusting mentality toward IT and the web overall. We grew up with an Internet that had relatively scarce criminal activity.

Anyway... If you want to avoid browser vulnerabilities with GMail, simply use their free POP3 access (make sure SSL is enabled).

I have a GMail account and I have NEVER exposed it

[crovira]

never used it, never send the email address to ANYONE from there, but every day, there's spam in there.

I'd say, "Yeah there's a security hole in there..."

Re:

[oahazmatt]

never used it, never send the email address to ANYONE from there, but every day, there's spam in there.

I'd say, "Yeah there's a security hole in there..."

I've had my GMail account from back in the early days, use it as my primary e-mail address, use it to register on many sites, some of which I know are not entirely secure, and have never had a piece of spam.

Just a counter-point.

so, until Google does get this fixed...

[museumpeace]

the "problem" of only being able to be logged into one Gmail account at at time [and all the googledocs and blogging features bound to the google identity cookie] becomes a lame and slight advantage: Give yourself a junk google Identity...that is easy these days since no priming based on a prior email acct is needed. Do your business with trusted sites using your "good" identity...the one with 8000 emails containing your life story and your companies proprietary info. For general surfing [you don't do bot

the problem of only being logged into 1 gmail

[ClioCJS]

is easily fixed by using FireFox, IE, and Flock. I can be logged in under 3 different gmails that way. And if you use the IETab firefox plugin, you can have two gmail accounts on tabs right next to each other :)

(I'm just sayin'...)

Re:

[nwbvt]

I have a better idea. Don't store your company's proprietary information on gmail. And if you own such a company, promptly fire any employee who does so.

Seriously, I hope none of you who are actually doing this work at my company, or any company that handles my private information.

Accounts

[Wowsers]

Like most people I have a webmail account, but I use it for "junk" like website sign-ups, so if something messes up, I don't lose valuable data. Domain names and hosting is so cheap these days, you could use your own address for important emails, or your own ISP's account.

I never have understood the fascination people have with webmail, same sort of thing using a website to access Usenet and calling it proper Usenet - which it isn't.

Physician, heal thyself!

[6Yankee]

"This, just a few days after the discovery of a search-based exploit was discovered."

Woo-hoo, meta-discovery! Oh wait - no, it's just Zonk screwing up.

Not XSS

[requeth]

You dont need to use cross site scripting, it sends the user's entire email list, telephone numbers, alt emails, etc right after login for the googletalk applet. Run a packet dump, they turn off the encryption and then send all of the private data (negating userid/password). I sent in two support tickets on this in January but only received the generic autoreplies. To keep up with security news find a local hacker group.

Much More Informative Article Here

[Giorgio Maone]

It explains how the exploit works, how developers would/should avoid it and how users could protect themselves: http://hackademix.net/2007/09/26/gmail_csrf/ [hackademix.net]

A link to the ACTUAL article - and some FACTS!

[Monkier]

Google GMail E-mail Hijack Technique [gnucitizen.org]

Some interesting points

• nothing to do with cookies - it is google not correctly validating a form submitted from an 'evil' website
• nothing to do with XSS - the ARTICLE calls it "Cross-site request forgery".

Re:

[Petaris]

And according to that site Google already fixed the issue.

I promised to release the POC as soon as Google fix it, well they did. So, here is how it works:...

Plain text emails

[Petaris]

Most of my emails are plain text, with no links in them or very few. On top of this they are all from people or organizations I know, if I don't recognize it I don't open it. If I think its SPAM or suspicious I use the handy "Report Spam" button. TFA even says that disabling java-script solves the security issue and if you use Firefox you can use extensions like no-script (as I believe was mentioned in another post here).

It seems pretty unfair to lay this only on Google's shoulders as XSS has been arou