Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Teenage Blogger Finds Gmail Hole

Posted by Zonk on Thu Mar 02, 2006 01:52 PM
from the not-what-i-was-doing-at-14 dept.
Businesses Google The Internet Security
cpm80 wrote to mention the news that a 14 year old blogger has identified a security hole in the Gmail webmail service. From the Network World article: "He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane, he wrote. But if the code is mailed from one Gmail account to another, it is filtered out, he said. Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Teenage Blogger Finds Gmail Hole 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • So the story is? (Score:5, Funny)

    by Osrin (599427) * on Thursday March 02 2006, @01:54PM (#14836659) Homepage
    Something happened, he is not sure what, and now nobody can replicate it.

    Stuff that matters huh?

  • Fixed (Score:5, Informative)

    by hetairoi (63927) on Thursday March 02 2006, @01:56PM (#14836680) Homepage
    SANS Internet Storm Center [sans.org] says it's fixed. Seems pretty silly.

  • This error should have been reported to Google and the appropriate mailing lists, not posted on a blog. Fortunately, Google responded quickly to resolve the issue before it caused damage.
    • This error should have been reported to Google and the appropriate mailing lists, not posted on a blog. Fortunately, Google responded quickly to resolve the issue before it caused damage.

      If this was a security expert or professional programmer or the like, I'd agree. But he's 14! Teenagers nowadays can barely open a door without first blogging about the experience. He saw something, he said he saw something. Now he gets a little recognition, Google fixes it and everyone goes home happy.
        • Hmm, on September 10, 2001:

          The world is run by small-minded militaristic plutocrats with no concern for human life or the future of the planet who rule by intimidation and fear.

          On March 2, 2006:

          The world is run by small-minded militaristic plutocrats with no concern for human life or the future of the planet who rule by intimidation and fear.

          Brave New World, eh?

  • Not surprising (Score:4, Interesting)

    by Bogtha (906264) on Thursday March 02 2006, @02:06PM (#14836771)

    Google have shown repeatedly that they don't understand how to deal with Javascript securely. Example [jibbering.com].

  • Gmail security can be over agressive too (Score:3, Insightful)

    by frovingslosh (582462) on Thursday March 02 2006, @02:09PM (#14836796)
    Unfortunately, I find I have problems with Gmail security the other way. Gmail blocks outbound attachments with exe files, even when those files are included inside zip files. I write programs and occasionally have to e-mail a client a change. Yet, unless I want to try to get my low-tech users to use more tools to help me sneak something past the Gmail filtering, I have to use a second e-mail account when I want to send out EXE files.

    I'm all for Google not doing stupid things on their web interface, but I don't think they should be encouraged to be even more agressive and invasive as to what we send and receive in our e-mail. Claiming you are doing this for the users' protection just assumes that all of your users are idiots, and if you build a system that repeatedly makes that assumption then eventually all of your users will be idiots, as you will drive the others away.

    • Just change the extension. I routinely change the extension of zip files to 7z and tell my friends to use either rename the extension or use 7zip.

    • Email is probably the wrong tool for this task (Score:4, Interesting)

      by WebCowboy (196209) on Thursday March 02 2006, @02:57PM (#14837216)
      Gmail blocks outbound attachments with exe files, even when those files are included inside zip files.

      Google is RIGHT in doing such filtering, although perhaps they should make it clear to users up front on its filtering policies rather than waiting for them to discover it for themselves. Besides, even if outbound executable attachments are blocked how many corporate systems permit them inbound? My employer blocks inbound executables unless you're in certain departments, and the majority of our clients do as well. These systems are getting very smart too--they analyse the actual content of the file rather than the extension and even if you rename your .exe to .abc, ZIP it and rename the .zip extension .xyz our system will check the header content of the files' data and determine it is a ZIP, then extract the files inside to examine THEM if that is how you configure it.

      The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such files (that is what I do anyways).

      There are some cases where email is the most convenient, such as for non-executable documents (I avoid sending .docs since I consider then "executable"--I send PDFs instead), smaller files and so on. For dealing with more novice users I send an email with the link to the file to click, and for getting files from them I set up a simple HTTPS "gateway" with a file submission form. Just as simple as attachments (for the client anyways) and more secure.

      I don't think GMail and other mail systems need to be "fixed"...I think that people have to get out of the mindset of using email to exchange files. Use secure FTP or even HTTPS...or even better for big files use Bittorrent. It annoys me when people complain about limits on email attachments just like it annoys me when people use Excel to create "databases". At least learn to use MS Access dammit...it isn't THAT hard!
      • > email was not designed for file transfer and probably will never be the best tool for that purpose.

        But it's a pretty good tool for transfering small files. If you are worried about who he message comes from then only take attachments from cryptographically signed emails from senders you trust.

      • The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such file

    • Rename the extension of the ZIP file to .Z instead of .ZIP. GMail passes it right through, and WinZip (as well as many other Windows-based tools) will still see it as a ZIP file and give it the correct icon, minimizing confusion on the part of users.

      • Gmail's is the intended behavior. Use FTP for EXEs, or even CDs.

        No.

        Why don't you stop telling people how to use their computers. I want to email executables to people on occasion. It's easy. It works. Well, normally it works, unless you're using gmail.

          • Or Outlook. Or several other capable email programs. Essentially, your suggestion is that general security should be sacrificed because lazy people sometimes want to send executable files? That's weak, friend.

            Sometimes they want to send zip files with .exe files in them, too, but you can't do that either. If I want to just dash a zip file with an installer (or just a program that doesn't require installation, just unpacking) off to someone, I have to rename the zip file extension, and then they have t

  • I thought teenagers. . . (Score:5, Funny)

    by smooth wombat (796938) on Thursday March 02 2006, @02:26PM (#14836938) Homepage Journal
    were good at finding holes to exploit. Any hole.

    Er, wait. Scratch that. I'm thinking of something else.
  • Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed.

    Can these same blog visitors please examine and fix my slow computer network?

  • So the attention grabber headline is... (Score:5, Funny)

    by geobeck (924637) on Thursday March 02 2006, @02:36PM (#14837020) Homepage

    Teenage Computer Geek Finds Hole

    Girlfriend says "Finally!"

  • If the kid was looking to better humanity, he probably would have reported the flaw to Google before blogging on it. He should read the RFPolicy [wikipedia.org] before he ends up being a scapegoat under someone's corporate bus. [google.com]
  • It is amusing that the ad at the top of the page while I read this showed the text:

    script type="text/javascript" language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/s how_ads.js"

    ...instead of the appropriate ad.

  • There is a bug in a piece of beta software??? That is unheard of.

  • if you take the story at face value, (Score:3, Insightful)

    by museumpeace (735109) on Thursday March 02 2006, @04:19PM (#14837869) Journal
    it certainly underscores a strength of web based applications: It was looking like a bug one morning but by afternoon, only fixed versions of the code were to be found. Centralized reloading of gmail's servers means everybody got the fix at the same time more or less. What would the time line of such a security hole be if it occured in Outlook? Eudora?
    • You're not dense, the article is...

      He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane...

      in *a* preview pane... what preview pane... where? Yahoo's preview pane? How is that google's problem?

      I'm totally confused...
    • It could be used for Cross-Site Scripting (XSS), for instance, meaning that someone could send you an email and collect information on you, or make you think you're on google, but really be on another site, etc.

      The preview pane is what you see before you read the message (when the list of messages is displayed - e.g. your Inbox).
    • I'm probably just very very dense, but ... out of the description, how is that a security hole?

      Basically - you don't want someone to be able to send you javascript that will execute when you read a message. It can allow the attacker far to much leeway (within the confines of your browser)

      Here's an (old) example [com.com] that affected Microsoft's hotmail service that gives you an idea of why you don't want want javascript sent to you to execute.

      Less seriously - it makes it trivial for spammer to verify that someone i
      • Read the article.

        It says that when you send an email from gmail, the code is removed. When you send it from Yahoo, the code executes right in the gmail inbox preview. The fact that javascript from the email executes in the gmail inbox is the security hole - anybody can email javascript to you and it will execute without your permission.

        But anyway, the hole must be fixed, I can't reproduce the problem, either.
      • I guess if someone elses javascript ran while reading Gmail it would be a bad thing. With Gmail (DHTML) most of the headers and some content of your messages are loaded in your browser. Evreything loaded in your browser is a part of DOM which javascript can copy, send or hide or I guess even change. Don't forget though since Google's javascript is also running we don't know for sure if it will let the other script run, crash the browser, slow evreything right down or just do whatever it wants. Theoritic
        • No, the security hole is that gmail will execute javascript in e-mail. You can't assume that all clients on the web will filter out javascript before sending them gmail's way.

    • it's not like there's a risk of taking down the system with this single bug

      If you can get somebody to execute Javascript of your choosing in the security context of the gmail.com domain, then you can fairly easily write a worm that reproduces by emailing itself to everybody in your contacts list. A worm like that does stand a chance of bringing down the system.

    • In other news, a regular slashdot poster who doesn't get it, that links etc belong to the signature and not to the post itself...
      • Oh, he knows exactly what he's doing. Google "religious freaks." Guess what comes up? Every time he posts a comment and tacks that on the end, Googlebot snags it and bumps it up cos it's coming from a reputable site (well, PageRank-wise at least ;) Slashdot sigs don't have the luxury of being indexed (you gotta be logged in to see them).

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.