Gmail Vulnerability May Expose User Information

An anonymous reader writes "A cross-site scripting vulnerability may mean bad news for Gmail users. The ethical hacking group GNUCitizen has developed a proof-of-concept program that deftly steals contact information and emails from the popular web-based mail service. At the moment there are no 'wild' exploits for this vulnerability. The article discusses how lax security makes holes like this a problem for corporate IT houses as well as Google. '"People do use private accounts to store work information," IBRS security analyst James Turner said. "I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal. "In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included."'" This, just a few days after a search-based exploit was discovered.

Encrypt it

[aedan (196243)]

With ROT 26

Re:

[smitty_one_each (243267)]

No, on the grounds of excessive CPU overhead.
A simpler approach would be to have the UN put out a resolution asking everyone to be nice.
Oh, and another resolution asking people not to send spam, pretty please, would also be helpful.

Online apps

[Romancer (19668)]

So who didn't see this thing comming?

Online apps are only going to get more and more popular. Webmail is like the gateway drug of internet apps. It starts off innocently enough. Going from an in house email system that is only intranet. Then you need to give employees the ability to send outside email, no problem, but your servers can still filter out attachments both ways and give the company a security and intellectual property barrier. Then the online apps start looking appealing, no maintenance, no servers, just internet access. A lot of cost savings for the company. What could go wrong? Then Microsoft and the other big players start talking about making Office an online application and hyping the benifits of such a new age system. The benifits are described in beautiful powerpoint presentations to the execs and the IT departments warnings are just plain text. What's going to happen to the companies that fall for this new online paradigm? I think more of the same. Information leaks, database vulnerabilities, simple password guessing, general hacks, etc. And all the information accessed through these new online applications is going to be out there for the taking. Ease of use and availability on a new level, to the hackers.

Re:Online apps

[betterunixthanunix (980855)]

Another problem is the users themselves. People like the convenience of a web interface, and don't want to be tied to one computer using an email client. I try to get people to encrypt confidential emails, but as soon as I say, "So you need to set up Thunderbird..." I am met with skepticism. One friend of mine was worried that someone might be reading her emails (because she had used a predictable password); I set up Thunderbird with GPG for her, but within a few weeks she was back to the web interface.

When it comes to convenience vs. privacy or security, people will choose convenience.

How about a web hoster?

[jbn-o (555068)]

Many web hosters offer accounts that also come with IM, email, and various web-based programs to do other things. Often these accounts cost very little money and give you gigabytes more space than GMail (and that space can be used for more than just email without resorting to clever hacks to make your email space usable in other ways). Look at who's hosting some of the sites people point to on /. and you'll get some good leads.

Of course

[teknopurge (199509)]

People wonder why I recommend getting a private email account. Sure we could have the same issues, but the core webmail software we use is almost a decade old, and I gather that it has had more users then GMail currently has.

In short: ditch the free and go with a service provider that provides service. GMail is ok for your Grandpa, but do you really want those million-dollar business contracts and project bids on it?

Re:

[gd2shoe (747932)]

"but do you really want those million-dollar business contracts and project bids on it?"

To think, people actually do this across any email... **shudder**

Seriously, all potentially sensitive business should be conducted in person (perhaps by a representative). Anybody not smart enough to realize this should not be running a "million-dollar business".

(Yes, I _realize_ that it happens.)

That is inane.

[jotaeleemeese (303437)]

If you are not encrypting your email you are as exposed as your grandpa, so your recommendation is based in wishful thinking and not in actual hard technical facts.

email is not a secure mechanism to transmit information, unless it is encrypted. End of the history.

And as in regard to all those valuable contracts and what have you, I would like to inform you that email is not a guaranteed delivery mechanism, it works in a "best effort" to deliver basis. So I will not be sending any urgent information by email

Re:

[ShatteredArm (1123533)]

Google does offer services to large organizations whereby they can use gmail and still use their own domain. Just a few years ago, my university ditched its in-house email servers in a "partnership" with gmail, and gmail became the mail service for the entire university. They said it would save all kinds of money on maintenance, and they were probably right.

So I guess my point is, even if they have the professional-looking email, it doesn't mean they're not using gmail. ;)

Close sites off by default

[Enlarged to Show Tex (911413)]

We talk about shutting down any unnecessary services and closing ports down by default in operating systems and firewalls. Why wouldn't one want to do the same with Web browsing? Lock down (or lock out) anything that can cause harm to corporate systems, and then open up things only as required. Not only does it improve productivity, it also improves security at the same time...

because

[everphilski (877346)]

Because some of us don't spend the $5-$10 to go out to lunch ( I pack a lunch, saves money, healthier, etc), and prefer to spend our lunch hour checking the news online? Sure, during business hours while working that makes sense, maybe, but during my breaks and lunch (both of which I'm free to take when I want) I like to go online and do stuff. So that becomes problematic. Honestly the solution is education. Having good enough resources on the local network so that your users don't have to use gmail or a ftp site is key, and making sure they know how to use them.

You can say tough shit, and I'd agree, employer has that right. But then I'd counter by saying I'd probably be keeping an eye open for a new employer :)

Then go online in your own computer.

[jotaeleemeese (303437)]

The sense of entitlement that some people show around here is staggering.

You may want to go online on your office computer. Well I am even pickier, I want blonde masseuses at my disposal for my lunch break, as well as the massages provided in rooms with plasma TVs and free drinks.

The sky is the limit to what employees think they should be entitled to do with company's resources....

Re:

[DrEldarion (114072)]

You may want to go online on your office computer. Well I am even pickier, I want blonde masseuses at my disposal for my lunch break, as well as the massages provided in rooms with plasma TVs and free drinks.

... and now we're back on the topic of Google.

Re:

[everphilski (877346)]

The sense of entitlement that some people show around here is staggering.

Dude. Did you even read my post? I said,

"You can say tough shit, and I'd agree, employer has that right."

It is their resource. However, education tends to work better than locking people away from useful resources (I'm an engineer ... the internet is a great resource for work, I'd be very less productive without it). And its a nice perk.

Well I am even pickier, I want blonde masseuses at my disposal for my lunch break, as well

Re:

[TemporalBeing (803363)]

We talk about shutting down any unnecessary services and closing ports down by default in operating systems and firewalls. Why wouldn't one want to do the same with Web browsing? Lock down (or lock out) anything that can cause harm to corporate systems, and then open up things only as required. Not only does it improve productivity, it also improves security at the same time...

And then you can also kill productivity by (a) not allowing people to communicate in the ways their job requires, or (b) not allow

Ideal situation?

[oahazmatt (868057)]

People do use private accounts to store work information

And companies with information that is valuable to other companies should enforce regulations opposing this.

I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal.

It's less than optimal to fix the mail server?

In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point.

Really? My company does that. My training materials aren't allowed to leave the building.

The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included

If they share corporate information through Facebook, do you need that employee?

Always GMail

[bostons1337 (1025584)]

Why is it that we always see these exploits with GMail? I can't even remember the last time a Yahoo Mail or Hotmail, etc. exploit came out. There about equally popular among the public.

Astroturfers aren't motivated

[Xtifr (1323)]

Spreading FUD about Google is something that MS is highly motivated to do. Spreading FUD about Yahoo! or MS's own Hotmail system is not.

That said, I'm not sure you're correct. I seem to recall a Yahoo! Mail exploit being publicized fairly recently. As for Hotmail, I'm not sure, but I suspect that it's a generic enough system that any exploits found are interesting as generic exploits more than as Hotmail-specific.

Yet another "we hate Gmail article"?

[SplatMan_DK (1035528)]

With all respect, why continue this crusade against Google/Gmail?

Sure, they are a key player in the market, but so is Yahoo, Hotmail, and a number of others.

From a technical perspective, cross-site scripting (XSS) vulnerabilities isn't exactly a new thing. Nor are they isolated to Gmail.

The article is not wrong - so I am not attempting to protect Google. On the other hand, this problem is fairly general in nature, and probably applicable to a ton of websites. In fact, the "cookie grabbing technique" is one of the oldest tricks in the areas of XSS.

With this in mind, the article (and in general the constant rampage against Google) seems ... a tiny bit one-sided. Not only is that unfair for Google (I am not a stockholder, so I will survive) but it also takes away the focus from the real issue: XSS is a big deal, and has do be dealt with. By everybody ... not just by Google.

:-)

- Jesper

httponly

[Spy der Mann (805235)]

In fact, the "cookie grabbing technique" is one of the oldest tricks in the areas of XSS.

... and this is the reason why the "httponly" cookie extension [microsoft.com] was created. Firefox 3 will support it [securiteam.com], and I already modified my PHP framework to use this for the session cookies.

Re:

[mattgreen (701203)]

I'm not sure where you're seeing Google/Gmail hate in the article. I see criticism of GMail, but that comes with the territory. Many regard them as the top webmail provider in terms of quality, so they should be held to a higher level of scrutiny as a result.

Security vulnerabilities in web-based services as common as email are extremely dangerous and do not deserve to be glossed over just because they are using old tricks. If they really are as common you imply, then I'm quite disappointed in GMail for not

Re:

[SplatMan_DK (1035528)]

I think we both generally feel the same about these issues.

My point is, that by constantly picking on GMail, the world will translate this into a "GMail problem". Only it isn't. It is just as big a problem for Amazon, e-bay, Hotmail, Yahoo, LinkedIn, .... and any other website.

I am not out to protect Google. If they screwed up, they deserve a little spanking. But it is important that we don't think of this as a "GMail problem", and ignore the threat for all non-Google websites.

Agree?

- Jesper

Re:

[mattgreen (701203)]

Certainly. XSS is the web's buffer overflow vulnerability - extremely common, yet I don't see a whole lot of people that are really scared enough to learn how to mitigate it. Old habits die hard, I suppose.

Re:

[Niten (201835)]

From a technical perspective, cross-site scripting (XSS) vulnerabilities isn't exactly a new thing. Nor are they isolated to Gmail.

From what I gather about this exploit (and contrary to what the CNET article has to say about it) this is actually a cross-site reference forgery (CSRF) attack rather than XSS. The attack takes advantage of the fact that a malicious Web site's clients may have persistent GMail cookies in their web browsers: The attacking site directs the victim's web browser, (possibly, but not necessarily) using JavaScript, to make a POST request to GMail which creates a mail filter to copy all messages to an email addr

Re:Yet another "we hate Gmail article"?

[SplatMan_DK (1035528)]

why try to hack ObscureMail if you can get access to MILLIONS of accounts hacking GMail?

You don't think sites such as Amazon, Hotmail, Yahoo Groups, e-Bay, LinkedIn, Facebook, MySpace, YouTube, etc. would provide access to just as many accounts?

In fact, the total nightmare-scenario for the end-users (and the total wet-dream for XSS hackers) would be to gain access to an ad-server. Imagine the XSS hacks you could do if you managed to compromise a DoubleClick server? Millions of users could be targeted, across thousands of sites where your compromised ad-server would even be white-listed for all sorts of crap? In that case, the popularity of the sites themselves would be of no consequence. As long as it displayed ads from your compromised server.

Hmmm... come to think of it, that is a pretty clever idea. I just might wanna take a look at the scripting used in streaming video ads ...

;-)

- Jesper

Re:

[SplatMan_DK (1035528)]

Politely: e-bay was not hacked last week. It turned out to be a hoax. :-)

Javascript needs a sandbox/security model

[MobyDisk (75490)]

I can open HTML email in a standalone application (Thunderbird, Eudora, whatever) with very little concern about someone getting my login information. That's because there is an implicit barrier between the application state and the HTML page. But it is more difficult with web-based email: If you display HTML messages, then they are being displayed on the same page that has access to your login credentials.

It seems to me that the most foolproof solution is to display the HTML email inside a sandbox that does not have access to the cookies (or any other part) of the enclosing page. There may be some way(s) to do this with browsers as they are today, but it seems like ultimately, such a sandbox should be designed-in to HTML and/or Javascript. Something like a chroot command.

This would eliminate the constant cat & mouse game of scrubbing the HTML for something dangerous, then a new HTML/browser feature being used to get around it, etc.

Re:Javascript needs a sandbox/security model

[Bluesman (104513)]

Javascript does have a sandbox security model based on the domain name of the javsacript/html source.

Displaying the html mail in its own internal frame that pulls from a different domain name than the rest of the application should solve the problem you're referring to. Something like mail.googlecontent.com would work nicely.

Re:

[betterunixthanunix (980855)]

Hmm...it would be like...writing a small piece of code, that had some sort of SecurityManager object, and had to get user approval to do anything other than display data and communicate with the web server it came from...

You seeing the point? We already have technologies that do all that, but because the first attempt was bad, people just lost interest and moved on. What we should have done was improve applets, not go and copy XMLHTTPRequest from Microsoft.

Insecure by Default

[by Anonymous Coward]

Ummm - isn't this what /. always says about Microsoft?

Trusting Google with you data is like playing Russian Roulette with an Automatic pistol, bad things will happen to your data

Google says it is so easy to keep all your information online - and it is - where they can search it

Google is the new Microsoft, more interested in profit than anything else (security, privacy, user rights)

But hey, they use Linux, so I guess it is ok

Re:Insecure by Default

[pushing-robot (1037830)]

Google is the new Microsoft, more interested in profit than anything else (security, privacy, user rights)

This is a XSS browser exploit, which basically means that one site you're visiting can talk to other sites you're logged into. It's not Google's fault; nothing is breaking in to their servers, it's just malicious code running on your computer hijacking the connection you made to Google. It's your browser's fault for not sandboxing sites properly.

Or to use an real-world analogy, it's like blaming Google because you forgot to log out at an internet cafe and then somebody else sat down and read your email.

Re:

[Beryllium Sphere(tm) (193358)]

It's a CSRF, not XSS: XSS would mean a bug in Google's code, CSRF simply means they didn't take the additional security measure of putting a nonce into the form.

Another reason to use NoScript

[GroundBounce (20126)]

If this is really a cross-site scripting vulnerability, NoScript [noscript.net] might help protect against it (if you're using FireFox).

Re:

[IonOtter (629215)]

I'll second and confirm this.

I've had NoScript on my machine for almost a year now, and it's been getting better and better every month, especially now that they've included NoXSS. I've seen the XSS warning mostly on "news" sites, such as FoxNews, CNN and various big-name newspapers, and every time I saw it, NoScript had nixed it.

I've seen the XSS warning in Gmail three times in all, always when clicking on a spam email, and each time it was stopped cold. I didn't dig too deep into it, but not long afterw

A good reason to use NoScript and Firefox

[Lazarus_Bitmap (593726)]

NoScript should prevent this exploit. It can be annoying to have to constantly give permission to sites to allow scripting, but it beats being hacked.

I'm also wondering if running Gmail over SSL would make any difference...

Avoidable?

[Urban Garlic (447282)]

TFA (Yes, I'm new here...) says that it takes over the cookie to allow the attacker access to the GMail box for two years.

But what if you tell both the browser and GMail not to remember your password? I make that a policy with most web sites I use, mostly to protect me if someone steals my laptop -- no password bypass mechanisms allowed, no passwords stored in clear text allowed.

Does that make you safe against this attack also?

Re:

[PlusFiveTroll (754249)]

No. The cookies are stolen upon transfer. You need to transfer your login data and save a cookie to receive the subsequent responses (viewing more then one message).

Webamil for insecure, POP for secure

[pembo13 (770295)]

Luckily for me, I only use GMails webmail interface for my mailing lists, which any and all attackers are free to have. My personal account comes via encrypted POP. Thanks to Gmail for that option.

Because gmail is better

[quintessentialk (926161)]

I'll second the comment that this shouldn't suprise anyone. Where I work there are laws which require proper security, but in most other places I've been gmail was used widely. This is because 1. Gmail was more reliable than the 'official' email system 2. The search feature in gmail was way faster and smarter than the 'official' email system (e.g. outlook; squirrelmail) 3. The 'keep everything/multiple tags' model of gmail was less onerous than the maintenance the company expected (e.g.: keep your mailbox under a certain size; manually roate things to local storage; sort things by some directory system you'll probably be confused by when you look at it a year later...) What I'd like to see is more people using those intranet-sized google search and email servers I hear about. I hate my company's crappy intranet search engine, and the only thing good about outlook is its meeting-scheduling system. Using google technology, but on a company-controlled server, would seem the best of both worlds. But... I'm not an IT person. Maybe this would be horrible.

Anyone not using PGP?

[Opportunist (166417)]

Anyone not using and requiring at the very least PGP for their GMail box? Or getting "private" mails to it (or sending from it)?

When you look at my GMail boxes, you'd probably get a very strange picture of me...

Generation X, not Y

[Burz (138833)]

The leading edge of generation Y are just starting to graduate from college. The demographic the summary refers to is probably the last half of Gen-X (the youngest of which are in their mid-20s). If anything, it is the Gen-Xers that have a more naive/trusting mentality toward IT and the web overall. We grew up with an Internet that had relatively scarce criminal activity.

Anyway... If you want to avoid browser vulnerabilities with GMail, simply use their free POP3 access (make sure SSL is enabled).

I have a GMail account and I have NEVER exposed it

[crovira (10242)]

never used it, never send the email address to ANYONE from there, but every day, there's spam in there.

I'd say, "Yeah there's a security hole in there..."

Re:

[oahazmatt (868057)]

never used it, never send the email address to ANYONE from there, but every day, there's spam in there.

I'd say, "Yeah there's a security hole in there..."

I've had my GMail account from back in the early days, use it as my primary e-mail address, use it to register on many sites, some of which I know are not entirely secure, and have never had a piece of spam.

Just a counter-point.

so, until Google does get this fixed...

[museumpeace (735109)]

the "problem" of only being able to be logged into one Gmail account at at time [and all the googledocs and blogging features bound to the google identity cookie] becomes a lame and slight advantage: Give yourself a junk google Identity...that is easy these days since no priming based on a prior email acct is needed. Do your business with trusted sites using your "good" identity...the one with 8000 emails containing your life story and your companies proprietary info. For general surfing [you don't do bot

Physician, heal thyself!

[6Yankee (597075)]

"This, just a few days after the discovery of a search-based exploit was discovered."

Woo-hoo, meta-discovery! Oh wait - no, it's just Zonk screwing up.

Not XSS

[requeth (632121)]

You dont need to use cross site scripting, it sends the user's entire email list, telephone numbers, alt emails, etc right after login for the googletalk applet. Run a packet dump, they turn off the encryption and then send all of the private data (negating userid/password). I sent in two support tickets on this in January but only received the generic autoreplies. To keep up with security news find a local hacker group.

Much More Informative Article Here

[Giorgio Maone (913745)]

It explains how the exploit works, how developers would/should avoid it and how users could protect themselves: http://hackademix.net/2007/09/26/gmail_csrf/ [hackademix.net]

A link to the ACTUAL article - and some FACTS!

[Monkier (607445)]

Google GMail E-mail Hijack Technique [gnucitizen.org]

Some interesting points

• nothing to do with cookies - it is google not correctly validating a form submitted from an 'evil' website
• nothing to do with XSS - the ARTICLE calls it "Cross-site request forgery".

The webmail conundrum...

[Spy der Mann (805235)]

I think the optimal solution would be a client which does not run scripts *AT ALL*. i.e. to read your mail, you need to d/l this software. But that defeats the purpose of having WEB mail accounts, doesn't it?

That's the conundrum.

Perhaps a solution would be to alter the HTML spec, in that you could include a specific file (a-la XMLHTTPRequest) and render it as html, but disabling all scripting inside that piece of html.

Or can it be done with existing technologies?

Re:

[betterunixthanunix (980855)]

"Or can it be done with existing technologies?"

Yes: Don't use Javascript to send HTTP requests. Just like we had to tell everyone not to use SSI's because of vulnerabilities created by those, we should stop using Javascript to send HTTP requests. If you can demonstrate a real need for a web page that sends HTTP requests in the background, I can demonstrate a real applet that does the job with fewer security risks. There were webmail interfaces a long time before XMLHTTPRequest was invented, and they w