Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Google Businesses The Internet Security

Google Corrects Gmail Security Flaw 209

Posted by Zonk from the seekrit-communications dept.
0110011001110101 writes "Google said Wednesday it has fixed a problem in its widely used email program that allowed hackers to break into peoples Gmail accounts to read messages and pose as legitimate email users. Security researchers in Spain exposed a flaw in the way Google authenticates its users, allowing the breach in the system that counts more than 5 million users. The process for exploiting Gmail was posted to a hacker web site." From the article: "Google spokesperson Sonya Boralv said only users who supplied information to the hackers were potentially vulnerable. 'We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials,' Ms. Boralv said. 'Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues.'"
This discussion has been archived. No new comments can be posted.

Google Corrects Gmail Security Flaw More

Google Corrects Gmail Security Flaw

Comments Filter:

  • In preply to the torrent of dumbness.... (Score:3, Insightful)

    by KinkoBlast ( 922676 ) <kinkoblast@gmail.com> on Friday November 18, 2005 @12:46PM (#14063428)
    Google does NOT read every email. It goes through a computerised filter to supply ads. No different than a spam filter. How come no one complains about Yahoo, MSN, and 99% of other email providers, free or not?

    • Re:In preply to the torrent of dumbness.... (Score:4, Funny)

      by BushCheney08 ( 917605 ) on Friday November 18, 2005 @12:54PM (#14063511)
      You forgot to post the link to the torrent
    • Google does NOT read every email. It goes through a computerised filter to supply ads.

      Does anyone really think their personal email is so damn interesting that someone else would actually want to read it??

      If you think that, get over yourself!

    • "No different than a spam filter."

      Actually it is. A spamfilter doesn't try to bind meaning to what it sees, it just matches certain schemes and patterns which were created by artificial means (like by a bayesian filter) and scores based on that. An intelligent ad sensing mechanism needs to find _meaning_ in the emails - human meaning - to display relevant advertising. This means it searches for humanly defined meaning. That's like flagging an email with certain tags/keywords. That's exactly what certain g
      • Well, technically, it could be viewed as a spamfilter with x number of buckets, x being the number of keywords available in adsense.

        A message would be scored on each keyword, and get sorted into one or more buckets based on how it scored on each keyword.

        There are spam filters that work exactly like that. POPfile comes to mind.
      • Actually it is. A spamfilter doesn't try to bind meaning to what it sees, it just matches certain schemes and patterns which were created by artificial means (like by a bayesian filter) and scores based on that. An intelligent ad sensing mechanism needs to find _meaning_ in the emails - human meaning - to display relevant advertising.

        You give our friends over at Google too much credit. Their scheme is most likely no different than a spam filter. It looks at the words in the message, sorts them by number of
        • No, most of the filters are better than that. One thing a lot of them pick up is the use of certain HTML markup tags. If, for example, a zillion messages are screened, and the use of <font color="FF0000"> (Glorious, penis-pill selling RED!) appears in a lot of junk mail, but very few letters from Mom; then it's flagged as a spam trigger as well. The use of character strings like the "0r+" part of "M0r+gage rates" can be scanned and scored as well.
      • Nope. The whole of Google's mystical advertising knowledge is built *entirely* on statistical analysis of their data. It just so happens that certain combinations of words have become associated with certain products or areas.

        Even AdSense's precision is built on what ads people clicked when the page's content was x/y/x, which is why occasionally you see adverts with little or no relevance. The fact they are not clicked on weighs against them in that particular content's category (Which again is put together
    • Semtex [ebay.com]
      Looking for Semtex?
      Find exactly what you want today.
      www.eBay.com
    • Because those filters are passive, as Googles are active...they send the content of your email to a server to determine which ads to send you, and then send the results of clicking any ads back to their server and log everything in between. So in theory someone just looking at the google logs could tell that your email contained words like "cheating" "wife" "cocaine" etc, because you were served ads for those. I doubt google has the time to do such things, but in theory the data is there.

  • While they're there... (Score:4, Interesting)

    by Threni ( 635302 ) on Friday November 18, 2005 @12:48PM (#14063442)
    ...they could alter the URLS they serve up such that httpS is used instead of crappy old http. The former works if you remember to edit it manually every time you log in, but that's tedious.

  • Grammar Police (Score:3, Interesting)

    by TubeSteak ( 669689 ) on Friday November 18, 2005 @12:48PM (#14063446) Journal
    "Motives are more than obvious because ALL Gmail accounts was vulnerable to the bug."
    While the hacker website that published the exploit is safe from Criminal Prosecution, they may still get a visit from the Grammar Police

    Then again, its a spanish language site, so I give them kudos for finding someone whose English isn't terrible to write it up for them.
    • Then again, its a spanish language site, so I give them kudos for finding someone whose English isn't terrible to write it up for them.

      Uh, we have a 226 in progress: used "its" instead of "it's"

    • Re:Grammar Police (Score:5, Funny)

      by MSantiago ( 645345 ) on Friday November 18, 2005 @01:00PM (#14063582)
      "While the hacker website that published the exploit is safe from Criminal Prosecution, they may still get a visit from the Grammar Police Then again, its a spanish language site, so I give them kudos for finding someone whose English isn't terrible to write it up for them."


      Hate to do this to you, but when someone starts criticizing someone else's grammar, they'd better use proper grammar, punctuation, spelling, and capitalization in their own posts.

      For starters, "Criminal Prosecution" isn't a proper noun and shouldn't be capitalized. Also, "its" is not being used in its possessive form. Rather, it's a contraction of "it is" and should contain an apostrophe. Lastly, "spanish" must be capitalized.
      • 1. I called the Grammar Police on the author
        2. I used poor grammar and capitalization
        3. You did not call the Grammar Police on me
        4. Your grammar, spelling and capitalization were just fine.

        The only conclusion that can be reached from these facts is that any post invoking the Grammar Police results in grammar, spelling and capitalization errors in said post.
      • Hate to do this to you, but when someone starts criticizing someone else's grammar, they'd better use proper grammar, punctuation, spelling, and capitalization in their own posts.

        Why? If something is wrong it is wrong, regardles of the errors someone else might make.
  • I really like using Gmail, and the 'conversation' system really suits me well. Glad that they fixed the flaw before anything 'bad' happened.

    But, is there an alternative to Gmail? What does the /. community use instead?

    • Re:Better than POP? (Score:3, Informative)

      by generic-man ( 33649 ) *
      AIM mail [aim.com] gives you 2 GB of free space and IMAP access so you can use it from a real mail client. All you need is an AIM screen name.

      For my personal mail I use Fastmail [fastmail.fm], IMAP mail with excellent server-side filtering. They had a brief outage last weekend, but aside from that they've been rock-solid for the last 2 years. They don't offer you enough storage space to make a warez repository out of your inbox, but it would take me a decade to fill up my 600 MB account.
    • But, is there an alternative to Gmail? What does the /. community use instead?

      I say this only to point out the pompous, somewhat arrogant nature of many slashdotters:

      pine

      mod -1 troll or +1 funny. you're not sure are you?
      • To be fair, pine doesn't do the whole job. You also need an MTA, at least, and probably a good IMAP server. So, sendmail/exim/qmail and dovecot/courier/UW-IMAP and then you can effectively use pine. Oh, you'll probably also want ClamAV, qsf, bogofilter, and procmail in the mix.
      • pine is for pansy ass pico users. real /.rs read a raw mail file and submit mail via command line interactions with a smtp server. in reality, it's not as hard or impressive as it sounds.
        • And of course, real /.rs do the MIME encoding in their head.

          Or, as I like to say,
          QW5kIG9mIGNvdXJzZSwgPGI+cmVhbDwvYj4gLy5ycyBkbyB0aG UgTUlNRSBlbmNvZGluZyBpbiB0aGVpciBoZWFkLg==
    • There are lots of alternatives to gmail. I run my own mailserver on a colocated box and give access to friends. POP, IMAP, Webmail, and remote SMTP submission (and lots of other goodies). You might be able to find a similar geek friendly server or run your own.

      Personally I don't like the idea of running my email through hotmail, yahoo, gmail. Advertising supported mail in general just gives me the creeps.

  • A very timely fix unlike M$ (Score:3, Insightful)

    by gasmonso ( 929871 ) on Friday November 18, 2005 @12:48PM (#14063451) Homepage
    "The site says Google fixed the problem on October 18, four days after a security researcher called ANELKAOS alerted the company to the problem."

    Say what you will about Google, but 4 days is fast. I think Microsoft takes weeks, if not months to fix problems. As a matter of fact, I bet there are vulnerabilities that are years old. Not to mention that M$ gets angry whenever a security group points out a bug.

    gasmonso http://religiousfreaks.com/ [religiousfreaks.com]
    • "a security researcher called ANELKAOS alerted the company to the problem"

      If someone named ANALCHAOS told me I had a bug, you bet I'd look into that right away.

    • Re:A very timely fix unlike M$ (Score:5, Informative)

      by generic-man ( 33649 ) * on Friday November 18, 2005 @01:01PM (#14063601) Homepage Journal
      When Hotmail was hacked 6 years ago [cnn.com], Microsoft sealed off the problem within a day. Google is incredibly slow.
      • uhm, yeah, but that was a MUCH bigger hole. All you need for the hotmail bug was the victim's email address. (for a bug like that, they should have shut down the whole system until it was fixed) For google, you need their authentication token... which, is probably a problem for a lot of sites... not a super duper high priority bug if you ask me.
        • Actually, if you read the exploit, cookie stealing was not necessary. Just a little cookie manipulation, and looking at some JavaScript.
        • This was the same sort of thing, according to the article. "Unlike the reported by HBX and published by BetaNews last year, this bug doesn't require cookie robbery, and because of that, the bug's danger was considerably higher." Gmail didn't shut down the whole system now, did they?
      • Hold up a second. The MS Hotmail flaw allowed anyone's Hotmail account to be compromised by going to a MS website and typing in the e-mail account they wanted to hack. The GMail flaw requires an user to send their certificate information to the hacker. The Hotmail flaw was much more significant and easier to fix: disable the second website (or at least ask for a secret question).

      • Re:A very timely fix unlike M$ (Score:4, Informative)

        by bannerman ( 60282 ) <curdie@gmail.com> on Friday November 18, 2005 @01:24PM (#14063826)
        This is completely different. The Hotmail hack allowed anyone to view anyone else's Hotmail account, with nothing more than a username. The Gmail hack allowed someone with access to another person's web traffic or hard drive to get access to their Gmail account. If you give them that much, you might as well give them your password as well, just for convenience' sake.

        • Re:A very timely fix unlike M$ (Score:2, Interesting)

          by Anonymous Coward
          No matter how you slice it: 1 day to fix a vulnerability in web app is fast. 4 days is slow. And even if these exploits differed in the way you seem to think they are, it wouldn't be "completely different."

          However, they aren't. The Google press release is false and I can't believe -- I just can't believe -- that the whole friggin' Slashdot crowd bought that crap hook, line and sinker. Read the linked article about the actual exploit. This is every bit as serious as the Hotmail hack.
          • I'm no great fan of either Google nor MS, but this is not in the same category. This is a theoretical attack - if you control the proxy server between a user and Gmail (and make the decision to store all traffic), then yes, you can get into their email, but that's about it.

      • Google is incredibly slow.

        Definitely. Google ignored a security hole for two years [jibbering.com] and don't understand Javascript well enough to fix it properly. [jibbering.com]

      • actual hacking attempt != discovery of an exploit

        The former requires immediate attention. A few days to correct the latter is an acceptable timeframe. Google just had to be faster than the folks trying to implement the exploit.
    • You might get a little more credibility if you canned the circa-1997 "M$" nonsense.

      Say what you will about Google, but 4 days is fast.

      4 days to fix a security vulnerability in a web app is INCREDIBLY SLOW. Anyways, obviously it's a little easier to patch a website, especially when you have a highly tolerant client base. This is the same Google, though, that released a desktop search that was so terribly security defective that it's hard to believe that their hiring practices are even remotely as selective a

  • So hackers can't get in now... (Score:5, Funny)

    by Galius Persnickety ( 623126 ) on Friday November 18, 2005 @12:49PM (#14063455)
    So hackers can't get in now if I give them my credentials?

  • Uh-oh.. (Score:2, Informative)

    by Chabil Ha' ( 875116 )
    Gee, I hope that no one was able to see that I store my SS#, CC#, and username/passwords for every site that I use. This could really be bad! The last time I checked, this was Beta software anyway, and if it was a concern, realize that most people weren't concerned when they got google eyed for a 2GB account. Get serious, who in the their right mind would send sensitive information over e-mail anyway???
    • who in the their right mind would send sensitive information over e-mail anyway???

      Non techies. It may be obvious to you that email is insecure, but that would not occur to 90% of all email users. Further, it is possible to use email for sensitive information. Unfortunately, it requires both the sender and the receiver to understand enough about encryption.

    • Gee, I hope that no one was able to see that I store my SS#, CC#, and username/passwords for every site that I use. This could really be bad! The last time I checked, this was Beta software anyway, and if it was a concern, realize that most people weren't concerned when they got google eyed for a 2GB account. Get serious, who in the their right mind would send sensitive information over e-mail anyway???

      Up until today, I was including that info in my sig!!

  • wait a minute (Score:5, Interesting)

    by wolfgang_spangler ( 40539 ) on Friday November 18, 2005 @12:55PM (#14063529)
    The site says Google fixed the problem on October 18, four days after a security researcher called ANELKAOS alerted the company to the problem. Google didn't make a public announcement about the problem. Companies such as Microsoft typically alert their users to security flaws in their software.

    So I am to believe that when someone makes a security flaw known to Microsoft they immediately make it public? They don't try to fix it or even shush the person who lets them know? The news is full of stories about security researchers who try to let Microsoft know about a problem only to see it not fixed for a long time. Then if the researcher lets the public know Microsoft goes berserk.

    4 days seems like a pretty good time to patch a flaw that sounds as low risk as this one did.

    • Re:wait a minute (Score:3, Interesting)

      by slashkitty ( 21637 )
      There is also a HUGE difference between SERVER applications like gmail and desktop software from Microsoft. With Gmail, none of the users need to update their computers to get the fix, while with Microsoft, everyone has to update their computer to get the fix. Who knows how many fixes Google has put in since gmail went live.
    • The site says Google fixed the problem on October 18, four days after a security researcher called ANELKAOS alerted the company to the problem. Google didn't make a public announcement about the problem. Companies such as Microsoft typically alert their users to security flaws in their software.

      Huh? So apparently this person thinks all security holes in Windows are discovered on the second Tuesday of each month?

      Microsoft, like many companies, doesn't disclose most security holes until it has patched them. W

  • And No Rollout Necessary (Score:3, Insightful)

    by Anonymous Coward on Friday November 18, 2005 @12:57PM (#14063555)
    The good thing about this is that now, everyone benefits from the fixes. Instantly.

    No more issuing patches, fixes, service packs, or whatever, like there is with distributed packages.

  • Great news! (Score:3, Funny)

    by theSpaceCow ( 920198 ) on Friday November 18, 2005 @12:58PM (#14063572)
    See, up until now, if you knowingly gave hackers your credentials, they'd be able to log on to your account with them. But now Google's refined their system to the point that even if you give out your personal information, hackers can't get in!

    It's really very simple. They simply cycle through every Google ad you've ever clicked on (to find potential phishers), geo-locate the IP trying to log on and cross-reference it to the "From" location in most of your Google Maps directions searches, attempt to visually identify you from any webcam pictures they may have cached, calculate the speed in which the username/password was typed in compared to the "keyboard profile" they have on file from all your searches, and compare the logon time to your typical usage times for GMail and Google Talk.

    Perfect security. At least, from everybody but Google.

  • Google fix (Score:5, Funny)

    by spurtle15 ( 899792 ) on Friday November 18, 2005 @01:00PM (#14063591)
    FTFA

    "We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials," Ms. Boralv said. "Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues."

    Fix:

    From: Google
    To: Gmail users
    Subject: Security Bug

    To all Gmail users:

    Please do not give out your user name and password.

    Thank you. That is all.
    • no no, they fixed this problem on the server side. Even if you give hackers your credentials, they still can't get in. I'd really like to see their code for this fix.
      • no no, they fixed this problem on the server side. Even if you give hackers your credentials, they still can't get in. I'd really like to see their code for this fix.

        I've got a bridge in Brooklyn to sell you. Maybe you'd really like to see that too.

    • Re:Google fix (Score:2, Insightful)

      by Tim U. ( 916375 )

      FTFA

      "We looked into this quickly and learned that it can only occur if a user knowingly provides their credentials," Ms. Boralv said. "Nevertheless, we have made some modifications to Gmail to help prevent these kinds of issues."

      Is this really true? To me it looks like they were simply taking variables from a successful login process, and substituting them into a login process that would normally have failed.

      Or did I miss something...

      • Makes their network traffic available seems more like it, from reading TFA.

        You didn't miss anything. It's a fuss about very little. Not about nothing, but if you do anything through a proxy server out of your control, then you don't know what is transmitted. Of course, simply adding SSL should help :)

    • Yeah, because my EMAIL account is really useful when I don't give my username to anyone...

  • Are you sure they fixed it? (Score:4, Interesting)

    by xxxJonBoyxxx ( 565205 ) on Friday November 18, 2005 @01:05PM (#14063647)

    If I'm reading this correctly, the security researcher thinks that Google has fixed only one of the three bugs that open up this door...thus the public pronouncement.

    "But if they would have recognized it and published a thank you note, this information wouldn't had been published. We have 3 ways to get to the same result, the others 2 are quite easier, and because of that easily we can deduce that it's a multibug, and a design error. With all these clues, they will not take too much to discover new methods."

  • One little bug that's been griping me about gmail is that sometimes I go to gmail.com on my girlfriend's computer and find myself accessing her account because she forgot to click "log out" last time she was in there.

    Now, I understand that while the web page is open, it makes sense to keep the user logged in using background XML requests, but once the browser has been closed, can't they implement a time-out?

    I swear this has happened to me even when she logged in the night before, so I can't figure out why t
    • Maybe you could just tell your girlfriend to not click the "Keep me logged in on this computer" checkbox when she logs in?
    • The default behavior IS to log a user out when the browser is closed. The only way your girlfriend's account would stay logged in after closing the window is if she checked "Remember me on this computer" when logging in.
    • Timeouts drive me nuts. I always stay logged in on my computer simply because if anyone figures out the password to get into my account on this machine, let alone my root password, I've got a lot more to worry about than a mere gmail account. Yeah, I know it's not a very secure system, but I have very little to hide (and even less to lose), so I'm willing to sacrifice a bit of security for the sake of convenience.

      My university webmail times out after some rediculously short amount of time, and as I result
  • Is it just me, or does google's translation [google.com] make just as much sense as the "English" version of the hacker's article.

  • What exactly is/was the exploit? (Score:4, Informative)

    by frankie ( 91710 ) on Friday November 18, 2005 @02:12PM (#14064463) Journal
    I don't read either Spanish or Hackerspeak very well, so I may have misunderstood their explanation, but it sounded like the exploit requires the attacker to gain access to the source code of the login screen for a user who already has a valid Gmail cookie. In other words, Gmail sends (or used to send?) stealable authentication info in the html. Is that accurate? If so, I'd have to agree that's not Best Practices for web security.

    Their screenshot walkthrough seemed like a mess. Which browser (and which URL) was associated with each of those source views?

  • Also A Security Hole in Google Base (Score:3, Informative)

    by miller60 ( 554835 ) on Friday November 18, 2005 @03:05PM (#14065031) Homepage
    Google also has fixed a security hole in Google Base [netcraft.com], which could have exposed sensitive information stored by users of Google's services. From the article:

    "Google's move towards a single Google Account for multiple services exacerbates the problem, as the same account used by the Google Base site can also be used to access financially sensitive services such as AdWords and AdSense, and Google's GMail webmail service."

  • it can only occur if a user knowingly provides their credentials


    What kind of security flaw is this? Wait- someone can read my e-mail if I give them my password? Wow! Wait- someone can read my files if I give them my root password? You're kidding?! Someone can read my paper documents if I give them the alarm code to my house and key to my filing cabinet? No s**t.

    Jeeze.
    -M
  • 1. No matter how many problems you point out that exist in Google's services, they are still far less than the flaws that have existed in systems like Yahoo and Hotmail for far longer
    2. Whether you believe it or not, there is NO such thing as a "perfect" e-mail system. Google never made that claim and it's supporters certainly don't make that claim. What they do claim is that Google has the more innovative interface. And after using the lackluster offerings of both Yahoo and Hotmail, I have say I agree

Slashdot Top Deals

Work is the crab grass in the lawn of life. -- Schulz

Close