| |
antioco2003
Master Googler
Joined: 08 Jul 2004
13415.70 GC$
Items
|
 Posted: Fri Oct 29, 2004 11:46 pm Post subject: Security hole found in Gmail |
 |
|
|
So you’ve got a Gmail mail account? Or maybe you’ve just received an invitation? Well, we have some bad news for you: Your mail box is exposed. A major security hole in Google's mail service, allows full access to user accounts, without the need of a password.
"Everything could get publicly exposed – your received mails might be readable, as well as all of your sent mail, and furthermore – anyone could send and receive mail under your name", thus reveals Nir Goldshlagger, an Israeli hacker, on an exclusive interview with Nana NetLife Magazine. "Even more alarming", he explains, "is the fact that the hack itself is quite simple. All that is needed of the malicious hacker, beside knowledge of the specific technique, is quite basic computer knowledge, the victim's username – and that’s it, he's inside".
When approached, Google admitted to the security flaw. Google also assured us that this matter is being resolved, and that "the company will go to any length to protect its users".
The flaw which was discovered by Goldshlagger and was tested many times by Nana's editorial board had shown an alarming success rate. In order not to further jeopardize mail boxes' owners, we will only disclose that the process is based upon a security breach in the service's identity authentication. It allows the hacker to "snatch" the victims cookie file (a file planted in the victim's computer used to identify him) using a seemingly innocent link (which directs to Gmail's site itself). Once stolen, this cookie file allows the hacker to identify himself as the victim, without the need of a password. Even if the victim does change his password afterwards, it will be to no avail. "The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he pleases, and it still won't stop the hacker from using his box", explains Goldshlagger.
Whether hackers have already used this method to compromise users' accounts is unclear at the moment.
Matters are several times worse when it comes to a service such as Gmail. Besides the obvious blow to Google's seemingly spotless image, we're looking here at a major threat to anyone who has turned to Gmail as his major email box. "Because Gmail offers a gigabyte of storage, several times bigger than most other web based mail services, users hardly delete any old correspondence", says Goldshlagger. "The result is a huge amount of mail accumulating in the users' boxes, which frequently include bank notices, passwords, private documents and other files the user wanted to backup. Who ever takes a hold of this data, could literally take over the victim's life and identity".
Ofer Elzam, a security expert for "Aladdin", who examined the security hole at Nana's Netlife request, explains: "This is a major threat, for the following reasons: First – the users have no way of protecting themselves. Second – it's quite easy to carry out, and third – it allows identity theft, which is nothing less than a serious danger to the victim".
"On the bright side", he adds, "its a good thing that this hole was found now, before the service was officially announced and offered to millions of users world-wide. I reckon it's just a matter of time before an automatic tool is made, which would allow even the less computer-savvy people to exploit this hack. The damage, needless to say, could be huge"
Is there a way, after all, to protect ourselves in the face of this danger? Elzam does not bear good news on the matter. "The only immediate solution that comes to mind is not using Gmail to store any messages or files that might be maliciously used. At least until Google attends to this problem"
| Code: | | http://net.nana.co.il/Article/?ArticleID=155025&sid=10 |
|
|
| Back to top |
|
|
tokkolo
One thousand five hundred
Joined: 13 Jul 2004
Location: The Netherlands
43162.65 GC$
Items
|
| Posted: Sat Oct 30, 2004 12:29 am Post subject: |
|
|
|
Jaiks!
I'm so glad that I don't have any important information in my gmail account. Anybody else but me can't do anything with the information I have in my inbox.
This is a serious security hole, especially if you store sencitive (sp?) information in your inbox!
Jaiks again!
_________________
I love new messages, don't you? |
|
| Back to top |
|
|
zirias
Noogle
Joined: 24 Oct 2004
Location: Germany
858.60 GC$
Items
|
| Posted: Sat Oct 30, 2004 1:58 am Post subject: |
|
|
|
Full disclosure would be much better ...
But it just sounds like google made the same mistake that gmx made before: They don't derefer links. So it would be a good idea not to click on any links in emails received via gmail and only copy&paste links received from trustworthy persons. When I got that right, there is no risk for you when you never click on links in your emails.
Google should change it's code so that cookies also depend on the user's password and should rewrite links so that they point to another script, that cleans the environment (no referers, no cookies, ...) and then redirects to the original link.
Shocking thing that very similar mistakes are done again and again.
Greets, Felix |
|
| Back to top |
|
|
microdude431
Eric is a no0b
Joined: 04 Sep 2004
Location: United States
1196.05 GC$
Items
|
| Posted: Sat Oct 30, 2004 7:50 am Post subject: |
|
|
|
| glad i dont have any important info in my gmail account(s) |
|
| Back to top |
|
|
broken
Elite Googler
Joined: 21 Jul 2004
Location: England
10042.30 GC$
Items
|
| Posted: Sat Oct 30, 2004 9:57 am Post subject: |
|
|
|
I hope they get that sorted soon. Luckily I don't have any important stuff in my mailbox.
_________________
MS Discussion |
|
| Back to top |
|
|
microdude431
Eric is a no0b
Joined: 04 Sep 2004
Location: United States
1196.05 GC$
Items
|
| Posted: Sat Oct 30, 2004 9:58 am Post subject: |
|
|
|
| maybe Google will give extra invites now! |
|
| Back to top |
|
|
zirias
Noogle
Joined: 24 Oct 2004
Location: Germany
858.60 GC$
Items
|
| Posted: Sat Oct 30, 2004 11:37 am Post subject: |
|
|
|
It's irrelevant whether you think your mailbox is important or not. What really matters is: Have you ever clicked on links sent to your gmail-account? I think you're fine if not.
Greets, Felix |
|
| Back to top |
|
|
nazgulking929
Noogle
Joined: 23 Sep 2004
Location: PPFFFFT! You'll need a location finding machine to know that!
235.75 GC$
Items
|
|
| Back to top |
|
|
zirias
Noogle
Joined: 24 Oct 2004
Location: Germany
858.60 GC$
Items
|
| Posted: Sun Oct 31, 2004 1:08 am Post subject: |
|
|
|
[1983-02-01] first "me, too" posting
really a milestone in usenet history 
*scnr*, Felix |
|
| Back to top |
|
|
Ashley
Master Googler
Joined: 10 Aug 2004
Location: Europe
4717.85 GC$
Items
|
| Posted: Sun Oct 31, 2004 5:01 am Post subject: |
|
|
|
Yikes! I click links in my email! No offense to anyone who says they don't keep anything important in your mailboc; Antioco said that it allows hackers to send mail from your account too! They could get you in big trouble!
_________________
Fusionart Design Studio |
|
| Back to top |
|
|
Randy
Former Moderator
Joined: 17 Jun 2004
18197.20 GC$
Items
|
| Posted: Sun Oct 31, 2004 7:17 am Post subject: |
|
|
|
| Well, if you registered to this forum then you have important info in your email. Think: every time you register for something your password gets sent to your inbox... |
|
| Back to top |
|
|
tokkolo
One thousand five hundred
Joined: 13 Jul 2004
Location: The Netherlands
43162.65 GC$
Items
|
| Posted: Sun Oct 31, 2004 9:06 am Post subject: |
|
|
|
| randy wrote: | | Well, if you registered to this forum then you have important info in your email. Think: every time you register for something your password gets sent to your inbox... |
Yes, that is why I _don't_ let any passwords be send to my gmail account. Gmail is still beta, and these things can happen. I still use my old yahoo account for registration for forums and things. |
|
| Back to top |
|
|
Ashley
Master Googler
Joined: 10 Aug 2004
Location: Europe
4717.85 GC$
Items
|
| Posted: Sun Oct 31, 2004 9:45 am Post subject: |
|
|
|
I don't, I use gmail for everything Maybe I should be more cautious, then again, I don't have anything to hide...
_________________
Fusionart Design Studio |
|
| Back to top |
|
|
tokkolo
One thousand five hundred
Joined: 13 Jul 2004
Location: The Netherlands
43162.65 GC$
Items
|
| Posted: Sun Oct 31, 2004 12:32 pm Post subject: Re: Security hole found in Gmail |
|
|
|
| Quote: | Google plugs hole exposing Gmail mail-boxes
By Joris Evers
Google Inc. has fixed a security flaw in its Gmail Web-based e-mail service that allowed attackers to hijack users' e-mail accounts. "Google was recently alerted to a potential security vulnerability affecting the Gmail service. We have since fixed this vulnerability, and all current and future Gmail users are protected," Google spokesman Nathan Tyler said.
Tyler declined to discuss the nature of the problem, but a source close to Google confirmed that the flaw allowed an attacker to gain complete control over a user's account.
The problem was in the way Gmail authenticated users. An attacker could steal a so-called cookie file identifying the user by making use of a seemingly innocent link to Google's own Web site, according to a report on the Web site of the Israeli publication Nana NetLife Magazine on Thursday.
The cookie allowed an attacker to sign on to Gmail as the victim from any computer without having to enter a password. The attacker would continue to be able to access the Gmail account even if the password were changed, according to Nana NetLife, which cited an Israeli hacker named Nir Goldshlagger.
An investigation by Google found that only a handful of Gmail users were victimized, the source close to the Mountain View, California-based company said.
Google announced Gmail in April, grabbing headlines because of the massive 1G-byte storage space provided with a Gmail account. The service is still officially in beta testing and Internet users can only get accounts after receiving an invitation from a current user. Google does not disclose how many Gmail accounts it hosts.
Posted October 31, 2004 04:45 PM |
Source: http://www.thestandard.com |
|
| Back to top |
|
|
Ashley
Master Googler
Joined: 10 Aug 2004
Location: Europe
4717.85 GC$
Items
|
|
| Back to top |
|
|
Sponsored Links
|
| Posted: 9 Jan 2009 5:09 am Post subject: Advertisements |
|
|
|
|
|
|
| Back to top |
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Host your free forums with Invision Plus.net forum web hosting with your own subdomain.
alexisBlue v1.2 // Theme Created By: Andrew Charron // Icons in Part By: Travis Carden |
|
|
|
|
