Gmail Messages Are Vulnerable To Interception 460
Michael Wally writes "GMail messages are vulnerable to interception. An attacker has only to transmit malformed test messages to himself, and information left over in memory, from previous messages destined for other people, will appear with the test messages, in the attacker's inbox. Sometimes, this information may include usernames and passwords... Do you use GMail? Are your communications private? Should they be? Well, here's what we figured out about the issue, that may or may not help you - or perhaps GMail, if anyone can get ahold of their developers, to tell them about it." Update: 01/12 22:21 GMT by T : Good news for Gmail users; those malformed messages are no longer being accepted; read below for a message from Chris DiBona.
chrisd writes "Just so you know, at 10:15am PST mails with the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous emails that had this problem will also no longer will be accessible. If you don't mind, I'd like to take the time to remind Slashdot readers that they can send bugs that may have a security aspect into security@google.com. If they like, they should feel free to cc me at cdibona@google.com. We appreciate your patience and we're sorry about the bug."
Wow (Score:5, Funny)
Re:Wow (Score:4, Funny)
Broken XML (Score:4, Insightful)
This is just the most publicly seen instance but broken XML does this every single day.
Use the greater than and less than signs as data delimiters in the 'next generation' of data encoding (XML)? WTF were they thinking?
I'm not 100% they are using true XML but from the looks of it if they aren't they are using a home-built XML wanna-be and - well it looks like I was right a few years ago when I (unsuccessfully) campaigned against doing it that way. Not that I campaigned very loud, as I am basically a nobody.
Not broken XML at all (Score:3, Insightful)
XML never does this. XML parsers, upon finding a problem must stop parsing and throw a fatal error. It's in the specification.
Instead of mindlessly knee-jerking because you don't like XML, try reading the article. The greater-than symbol that causes problems is the delimiter for the email address - syntax that goes back to 1982's RFC 822 - long before XML's time.
Security Category in Gmail Bugs List? (Score:5, Informative)
I use Gmail and this bug sort of disturbs me. Aren't they using a proper preg check to see if the fields are enclosed with < > ? I'm not even sure how this bug could exist in any normal computing system. I guess the gmail system is a hybrid of some kind? This is indeed very telling...
But it doesn't make me want to stop using Gmail. It's a random security breech that looks like they could fix it in an hour if they wanted to. Time to stop checking my email for a while until this is fixed...
Re:Security Category in Gmail Bugs List? (Score:5, Insightful)
I don't hold this against Google at all. I'm glad they are not telling the world how to break into my account...
Re:Security Category in Gmail Bugs List? (Score:2, Insightful)
I don't really see what difference the general public makes. The general public isn't interested in exploiting security flaws, even if there is a pre-rolled application which makes it easy, because the general public isn't script kiddies.
If one bad guy who can write a script for the script kiddies finds out about this, then the general public is at risk, even if he never releases that script. The general p
Re:Security Category in Gmail Bugs List? (Score:2, Interesting)
Re:Security Category in Gmail Bugs List? (Score:3, Interesting)
Full disclosure has a purpose: to educate users/admins in order to prevent damage to them. It should not be goal in itself.
In case of proprietary software running on a machine nobody but the developer has access to, why bother. It's not as if the users run more risk if FD isn't practiced. Au contraire.
The only reason I can think of that would warrant FD, is when you want to keep tabs on the developer,
Re:Security Category in Gmail Bugs List? (Score:2, Informative)
Re:Security Category in Gmail Bugs List? (Score:3, Informative)
Unless you're Microsoft, of course.
The sense of security coming from using a beta? (Score:4, Informative)
Security
You must promptly notify Google of any breach of security related to the Services, including but not limited to unauthorized use of your password or account. To help ensure the security of your password or account, please sign out from your account at the end of each session.
Oh yes, Google is certainly lulling us into a false sense of security.
or rather (Score:5, Funny)
Re:Security Category in Gmail Bugs List? (Score:2)
Re:Security Category in Gmail Bugs List? (Score:5, Insightful)
People will not successfully exploit a vulnerability they do not know about, or attack a system they do not know is there. Even if some fraction of people are in the know, you've reduced your potential attacker count by the fraction of them who are not in the know.
Re:Security Category in Gmail Bugs List? (Score:4, Informative)
You did read the article, yes? This is exactly what happened.
Re:Security Category in Gmail Bugs List? (Score:3, Interesting)
If you discover that I've left my car unlocked, I would much prefer that you not festoon it with a large orange banner saying "THIS CAR IS UNLOCKED".
You Win An Award (Score:4, Funny)
Re:Security Category in Gmail Bugs List? (Score:3, Interesting)
The lock on a vault generally relies entirely on obscurity to obtain its security. You can't see how the cams are turning inside of the lock so you can't open it unless you know the combination. If you do know the combination, you can open the lock within a minute or so. If someone invents magic X-ray eye glasses that could see through the steel, then the standard mechanical combination lock would be useless.
The question at that point becomes how likely is it that
Re:Security Category in Gmail Bugs List? (Score:3, Insightful)
I'm not even sure how this bug could exist in any normal computing system.
It happens the same way that many (most?) bugs happen -- the human programmer forgot to check for boundary conditions in the data interpretation. As the old saying goes, "garbage in, garbage out" -- if you don't validate your data, you may be surprised at the results you'll get. Here the result is that it's exposing someone else's message to you. But it's not that surprising.
These things usually boil down to human error and inco
Re:Security Category in Gmail Bugs List? (Score:5, Insightful)
Re:Security Category in Gmail Bugs List? (Score:2)
Re:Kinda Open (Score:2)
One Key Word (Score:5, Insightful)
Google will work out the kinks, they always do.
Re:One Key Word (Score:5, Funny)
Re:One Key Word (Score:3, Interesting)
And while GMail is still in Beta, it is still a widespread and widely used email service. So, while I can understand that there are still bugs in the service which Gmail could iron out without too much trouble, I would disagree with people who underestimate the severity of tho
Re:One Key Word (Score:5, Insightful)
Let me know when they fix the disaster known as Google Groups 2. They've buggered up a ton of archive references, and don't exactly seem to responding in a stellar fashion to the problems.
Re:One Key Word (Score:3, Insightful)
Not only that, as always, e-mail from one network to another across unknown intermediaries is not private. It travels on public wires across public networks. If there's a value in someone targetting you and you're not technically competent enough to know you shouldn't use gmail for important discussions, they can just snap a packet sniffer onto your gateway and watch everything you send and receive right at the source with little fuss and no muss.
First thing's first: you ought not be relying on gen
Re:One Key Word (Score:2)
Re:One Key Word (Score:5, Insightful)
I know that its everyones darling, Google, but its not any less of a privacy spilling bug. Look at everyone who jumped on gmail already. Look at the bug itself, their servers trust the email client to terminate a string.
Never trust an internet client to provide properly formatted strings. Google blew it. (Besides, they're on my bad list for screwing up the usenet archives anyways, they're turning evil.)
Beta.. (Score:5, Insightful)
Oh, sure, it means ready to be shipped/used in production by some companies, but has that line gotten to fuzzy for some people?
"that's not a feature, that's a bug"
Re:Beta.. (Score:2)
if my email and/or account can be compromised, in a way that cripples its basic functionality as an email service, i am not sure if you can call it a "beta" to begin with. how do you work out bugs in the program if it can't be trusted to function as intended at the very basic level?
if a beta version of a photoshop, as an example, couldn't even reliably open a JPEG file, that's a serious problem i'd be unwilling to dismi
Re:Beta.. (Score:2, Insightful)
Certainly, and as a Gmail user you should view your use of Gmail as evaluation, not something you depend upon for any critical application.
if my email and/or account can be compromised, in a way that cripples its basic functionality as an email service, i am not sure if you can call it a "beta" to begin with. how do you work out bugs in the program if it can't be trusted to function as intended at the very basic level?
Re:Beta.. (Score:2, Insightful)
It does have bugs. It's in beta and it has bugs. I honestly don't see where this is even news.
if a beta version of a photoshop, as an example, couldn't even reliably open a JPEG file, that's a serious problem i'd be unwilling to dismiss simply as a "bug" just because "it's a beta."
That metaphor is flawed. A better one would be, "If a beta version of Photoshop couldn't open a JPEG with a bad header reliably, it's a serious problem."
Re:Beta.. (Score:2)
i just wanted to post that i personally feel "being beta" should not be a blanket immunity for all the bugs, big or small. that's all.
Re:Beta.. (Score:2)
"Being beta" means you KNOW you have to fix your bugs. You should not be immune from blame for failing to fix bugs. I have seen no signs of Google refusing to fix this bug. (Feel free to correct me if I'm wrong).
Re:Beta.. (Score:2)
=Smidge=
Re:Beta.. (Score:5, Insightful)
Re:Beta.. (Score:2)
Re:Beta.. (Score:2)
Email isn't secure (Score:5, Informative)
This is as it was 10 years ago, 5 years ago, now, and in the future. Plaintext should be treated as though you were sending a postcard in the mail.
Re:Email isn't secure (Score:2)
it's one thing for the email being sent to be intercepted. it's quite another to leave a hole such that your account name and password can be obtained by strangers.
Re:Email isn't secure (Score:2)
Most people have the reasonable expectation that their postcards are at least being delivered to the right recipients. The gmail bug is equivalent to the post office making photocopies of a postcard and stuffing them in all your neighbors' postboxes. It allows lots of technically illiterate people with no hacker/secret-agent/NSA training to read your mail.
Re:Email isn't secure (Score:2)
Re:Email isn't secure (Score:2)
Re:Dear krog (Score:2)
A Darker Shade of Grey Hat (Score:5, Interesting)
Security exploits are a serious matter, and they need to be handled properly. Throwing this kind of thing out in the open willy-nilly is, at best, irresponsible. For one, it means that Google must now rush a fix for something which may have already been in the bugfix queue; rush jobs can disrupt the entire project and increases the odds of human error--which can lead to unnecessary security vulnerabilities.
As for these guys getting hired by Google--being smarmy twits about Google's code review practices probably isn't gonna help their case any. Shame, because a little tact and professional courtesy would have given them a damn good running start at it...
Re:A Darker Shade of Grey Hat (Score:2, Interesting)
I guess it's the hat thing. You've decided you have to choose what colour they're wearing and what they've done doesn't match. I'd leave the hats alone and think for yourself. They've spotted a bug in beta code and decided it was easier to tell the public rather than
Re:A Darker Shade of Grey Hat (Score:2, Insightful)
There is no excuse whatsoever for releasing something like this to the public, especially without notifying the service and giving a long enough period for them to fix it (IMO even going public then doesn't achieve anything). All that this achieves is self-glorification for the people findin
Re:A Darker Shade of Grey Hat (Score:3, Informative)
Because it has become standard practice in the industry to inform the vendor and give them a reasonable amount of time to come out with a patch before publically annoucing the exploit. It's called professionalism a.k.a. an endangered species here at slashdot.
Re:A Darker Shade of Grey Hat (Score:4, Informative)
Key here is "reasonable amount of time", which should be no more than a couple of weeks. Even that may be too long and many vendors will threaten you with lawsuits for going public once you've privately informed them of security holes.
As Bruce Schneier (author of Applied Cryptography, creator of Blowfish/Twofish, etc) writes:
Note that Schneier does say:
Also from the same article:
http://www.schneier.com/crypto-gram-0111.html [schneier.com]
Re:A Darker Shade of Grey Hat (Score:2)
Security exploits are a serious matter, and they need to be handled properly. Throwing this kind of thing out in the open willy-nilly is, at best, irresponsible.
You state that as fact, yet full disclosure is probably the most widely accepted way
Re:A Darker Shade of Grey Hat (Score:2, Funny)
Re:A Darker Shade of Grey Hat (Score:2)
The 60 minutes piece on them suggests the company culture is try to compel them to not flaunt their wealth and keep their head screwed on straight but when people become millionaires and billionaires overnight chances are high that they are going to lose th
Well... (Score:2, Insightful)
Yeah, it's a potential privacy breach. That said, using a web-based email system for top secret or potentially embarassing mail is pretty dumb. You get what you pay for, gmail is no different. (nb: I'm a happy gmail user)
Comment removed (Score:5, Funny)
Re:Are you communications private? (Score:2, Funny)
Simple.
All you communications are belong to them.
Just a simple, obvious case of omitting a letter (Score:2)
To which I would answer, "No, I am a communications major."
Re:Are you communications private? (Score:2)
Doesen't seem too bad to me. But I am just a foreinger...
Newsflash (Score:5, Insightful)
Although this appears to be a valid bug in GMail (that is still beta mind you, and will probably be fixed very quickly), who in the world considers plain text communication secure?
I have no idea who at my ISP has root access (or others that can gain root access) to read my plaintext mailbox.
Nothing to see here... please move along.
Re:Newsflash (Score:5, Informative)
Re:Newsflash (Score:2)
Net::SMTP>>> Net::SMTP(2.29)
Net::SMTP>>> Net::Cmd(2.26)
Net::SMTP>>> Exporter(5.58)
Net::SMTP>>> IO::Socket::INET(1.27)
Net::SMTP>>> IO::Socket(1.28)
Net::SMTP>>> IO::Handle(1.24)
Net::SMTP=GLOB(0x182eb00)<<< 220 mx.gmail.com ESMTP 35si124276wra
Net::SMTP=GLOB(0x182eb00)>>> EHLO localhost.localdomain
Net::SMTP=GLOB(0x182eb00) <<< 250-mx.gmail.com at your service
Net::SMTP=GLOB(0x182eb00)<<< 250-SIZE 20
Re:Newsflash (Score:2)
The problem wasn't that it was accepting mail that looked like that, it was that when reading the email that contained the faulty send line, it would read past the end of the "From" line looking for the matching >, which could result in a sort of buffer overflow that would read into other people's messages.
You need to actually look at the message you sent in the GMail interface to see if it has been fixed.
Re:Newsflash (Score:2)
But then again, I doubt that's actually the setup in many, many places.
Re:Newsflash (Score:2)
If I was an ISP, I'd be advertising security (which protects you from, say, identity theft) as an option, and explain that with freely available e-mail programs and PGP you can lock things down so
Well hey.. (Score:5, Funny)
I mean, their aptitude tests & hiring policies makes me believe they've got a few nobel prize winners working there..
Shouldn't they be able to fix this during lunch break?
You mean there is a server-side bug in GMail (Score:3, Insightful)
I don't think you can do directed attacks either (e.g. 'intercept' only the mail of a specific target). So I think it's not a real showstopper.
Still, it shows that even Google can make mistakes in their code...who would have thought!
end of the world is coming!! (Score:5, Funny)
now Google messes up...
with all the natural disasters happening, i cannot think of a good reason why the world wouldn't end the day after tomorrow.
Re:end of the world is coming!! (Score:2)
Let me just say.. (Score:2)
Couldn't they have notified Google first, before going public? Given them time to take action? I don't like the fact that my email is suddenly vulnerable now that everyone and their brother knows how to intercept gmail messages.
Well... (Score:3, Insightful)
That being said, did the authors actually contact Google about this prior to making the whole thing public? Full disclosure is good, of course, but it's also nice to give the vendor a chance to fix things before you inform every script kiddie in the world about what you found.
All email is vulnerable. (Score:3, Insightful)
If you want your email to be secure you have to encrypt it. Otherwise don't have any expectation for privacy.
Re:All email is vulnerable. (Score:5, Informative)
Re:All email is vulnerable. (Score:2, Informative)
I have administered SMTP servers for small businesses and small to midsize ISPs for 10 years.
Re:All email is vulnerable. (Score:2)
Re:All email is vulnerable. (Score:2)
Including usernames and passwords? O.o
In other news... (Score:2)
GMail vs Hotmail (Score:5, Insightful)
If Hotmail had this bug, everyone here would be up in arms.
Just because email isnt secure doesnt mean this isn't serious. I would hate to think of all the people reading my responses to craigslist postings
Re:GMail vs Hotmail (Score:2)
Re:GMail vs Hotmail (Score:2)
Re:GMail vs Hotmail (Score:3, Insightful)
Hmm. I wouldn't try Windows if I were you...
Interception (Score:2)
Can anyone name a form of message that isn't vulnerable to interception?
Duh (Score:2)
For more fun, check out how ebay's static and images server returs responses null-padded to 4KB boundaries (usually).
Re:Duh (Score:2)
Way to go, jerks. (Score:3, Insightful)
SPAM! (Score:3, Insightful)
i tried... (Score:2, Interesting)
Yawn... (Score:3, Funny)
--
Was it the sheep climbing onto the altar, or the cattle lowing to be slain,
or the Son of God hanging dead and bloodied on a cross that told me this was a world condemned, but loved and bought with blood.
This was more about their 15 minutes than Google. (Score:5, Insightful)
Of course, they acknowledge that, but they're arguing that they're helping protect people by making them aware of the problem.
I call bullshit. This is about them wanting recognition for finding the bug. If they would have sent it to Google, it would have been fixed and no one would care who discovered it. Because they went public with it they can boast that they were the ones who found the bug.
Of course, it swings both ways. Now if someone uses this exploit and steals your password (which is honestly rather unlikely), you know who to blame for making it public knowledge before Google had the chance to fix it.
Gmail is FREE! (Score:2)
Reads encrypted zip files (Score:2, Interesting)
I figured I could hide it in a zip file so gmail wouldn't notice, and it still tells me I can't send an exe file!, then I encrypt the zip file, figuring there would be no way gmail could see what's inside, and it still finds the
Hacker Hubris (Score:5, Insightful)
For these people to find a single issue in such a system, then say it's a shortcoming of gmail's QA process, and in the same breath ask for work - implying they've got the skills to even handle such a job - is insulting. Please, just because you're smart enough to expose a flaw once you stumbled onto it in no way means you are qualified to correct that or any other issue. Sometimes our QA team finds a flaw and even digs in the logs enough to pinpoint the problem but it can still take the developer who designed the code days to correct.
In other words, noticing that you're bleeding does not qualify you as a surgeon. Instead of publishing their finidings in a detailed how-to, these asshats should have forwarded the info to gmail and let them deal with it, and that's assuming that the gmail team didn't already have it in their list of bugs. I just don't understand why people feel the need to not only describe a security problem, but give every hacker on the net a roadmap as to just exactly how to use it and what illicit activity it might be good for.
WORKAROUND (Score:2)
Did anyone else see this? (Score:3, Funny)
Screen Capture #5 [milatic.net]
Jack Rabbit Vibrator Features
This message describes the features of one "Jack Rabbit Vibrator," a 7.5" Multi-Speed toy of sorts.
What are the odds of finding that?
Client side contamination between accounts (Score:2, Interesting)
I've also witnessed on at least one occasion an https session surviving overnight, with the POTS connection severed during this time.
These experiences have already led me to cons
Security 101 (Score:2)
So if you are worried about your companies cooked books, your mistress and your assanitation plan being discovered--DON'T write Email about them!
Also, by the way, if it's that important: Don't post it in a chat room or BBS, even "Anonymously", don't write or type it anywhere,
A Job? (Score:5, Insightful)
I'd just like to add that not only are they criticizing the company's QA process and releasing the bug without having notified google first, as others pointed out...
They found the exploit by MISTAKE! It was a bug in their own code that caused the problem, something as stupid as a missing caret at the end of a line. So, in other words, they are looking for work looking for bugs in Google's software that they found solely because of a bug in the software they wrote.
On another note, bugs in software happen, no matter WHO you are, the trick is just to be able to fix them in a timely fashion and deal with the situation effectively. I believe that Google will do this, especially if the previous comment stating that it has been patched is true. Everyone is making too big a deal out of something that has happened to every developer on every software ever. The reason MS gets crap for it is simply because they continuously produce buggy code ridden with security issues, but deny this is the case, and often ignore security problems until they are found out by the general public.
-Jay
Looks like GMail is not accepting Mail (Score:3, Interesting)
"APPLICATION" 516 "2005-01-12 20:01:48" "SMTPDeliverer - Message 15213: Delivering message from xxxxxxxxx@xxxxx.com to xxxxx@gmail.com."
"TCPIP" 516 "2005-01-12 20:01:48" "DNSResolver - MX Lookup: gmail.com"
"TCPIP" 516 "2005-01-12 20:01:48" "DNSResolver - MX Lookup result for gmail.com: 3 servers"
"APPLICATION" 516 "2005-01-12 20:02:09" "SMTPDeliverer - Message 15213: Failed to connect to gsmtp185.google.com."
"APPLICATION" 516 "2005-01-12 20:02:30" "SMTPDeliverer - Message 15213: Failed to connect to gsmtp171.google.com."
"APPLICATION" 516 "2005-01-12 20:02:51" "SMTPDeliverer - Message 15213: Failed to connect to gsmtp57.google.com."
"APPLICATION" 516 "2005-01-12 20:03:13" "SMTPDeliverer - Message 15213: Failed to connect to gmail.com."
"APPLICATION" 516 "2005-01-12 20:03:13" "SMTPDeliverer - Message 15213: Failed to connect to all xxxxx@gmail.com's mail servers."
Re:Gmail Inivation Emails here (Score:2)
Re:Gmail Inivation Emails here (Score:2, Informative)