Security hole found in Gmail
An Israeli hacker reveals: A security hole in Gmail allows the compromise of users' email boxes - without the need of a password

So you've got a Gmail mail account? Or maybe you've just received an invitation? Well, we have some bad news for you: Your mail box is exposed. A major security hole in Google's mail service, allows full access to user accounts, without the need of a password.

"Everything could get publicly exposed - your received mails might be readable, as well as all of your sent mail, and furthermore - anyone could send and receive mail under your name", thus reveals Nir Goldshlagger, an Israeli hacker, on an exclusive interview with Nana NetLife Magazine. "Even more alarming", he explains, "is the fact that the hack itself is quite simple. All that is needed of the malicious hacker, beside knowledge of the specific technique, is quite basic computer knowledge, the victim's username - and that's it, he's inside".

When approached, Google admitted to the security flaw. Google also assured us that this matter is being resolved, and that "the company will go to any length to protect its users".

The flaw which was discovered by Goldshlagger and was tested many times by Nana's editorial board had shown an alarming success rate. In order not to further jeopardize mail boxes' owners, we will only disclose that the process is based upon a security breach in the service's identity authentication. It allows the hacker to "snatch" the victims cookie file (a file planted in the victim's computer used to identify him) using a seemingly innocent link (which directs to Gmail's site itself). Once stolen, this cookie file allows the hacker to identify himself as the victim, without the need of a password. Even if the victim does change his password afterwards, it will be to no avail. "The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he pleases, and it still won't stop the hacker from using his box", explains Goldshlagger.

Whether hackers have already used this method to compromise users' accounts is unclear at the moment.

Matters are several times worse when it comes to a service such as Gmail. Besides the obvious blow to Google's seemingly spotless image, we're looking here at a major threat to anyone who has turned to Gmail as his major email box. "Because Gmail offers a gigabyte of storage, several times bigger than most other web based mail services, users hardly delete any old correspondence", says Goldshlagger. "The result is a huge amount of mail accumulating in the users' boxes, which frequently include bank notices, passwords, private documents and other files the user wanted to backup. Who ever takes a hold of this data, could literally take over the victim's life and identity".

Ofer Elzam, a security expert for "Aladdin", who examined the security hole at Nana's Netlife request, explains: "This is a major threat, for the following reasons: First - the users have no way of protecting themselves. Second - it's quite easy to carry out, and third - it allows identity theft, which is nothing less than a serious danger to the victim".

"On the bright side", he adds, "its a good thing that this hole was found now, before the service was officially announced and offered to millions of users world-wide. I reckon it's just a matter of time before an automatic tool is made, which would allow even the less computer-savvy people to exploit this hack. The damage, needless to say, could be huge"

Is there a way, after all, to protect ourselves in the face of this danger? Elzam does not bear good news on the matter. "The only immediate solution that comes to mind is not using Gmail to store any messages or files that might be maliciously used. At least until Google attends to this problem"

Source

*my apologies if this is a duplicate post

Good information but isn't this news a bit old? After all, after it was disclosed at the end of sept, Gmail patched their email systems.

Link: http://www.searchenginejournal.com/index.php?p=1008

http://www.macobserver.com/article/2004/11/01.1.shtml

http://www.computerweekly.com/articles/art...Search=&nPage=1

Ciau...

digitalk2003

Yes, old and also a repost. But we still appreciate the reminder!

This proves again: "Cookies are bad for you", get an Apple instead

heh,never though that i see a Security Hole from Gmail... Good info.

it's not just about cookies, a web application should use sessions for real things.
Session is a Cookie also, Servers compare sessionIDs with client cookie sessionID and store session data in server.

So if you are logined to a system you have a sessionID, and now an attacker steal that. You don't have to choose remember me.

And one final note, if you mean completly disable cookies, it's a great protection but you can not use anything in almost any dynamics website

this is not all that old that or they didnt fix it.. cus someone has been spoofing/hack my account.. i have change passwords numerus times and at lest once or twice a day i get mailer deamons saying that mail could not be delivered and each time had a virus attachment and each time the headers were from gmail servers...

fking pissing me off

well, it was more a joke , but i would clear cookies after every session, actually i already do that, so this way, no cookies that i do not need are still on my computer waiting to be accessed by other sites

(unfortunately that doesn't help with this problem, but gmail is already been patched, this is an old vulnerability )

then why the hell i still getting the damn mailer daemons

if they did/do you can't blame them.. every product is getting tested and the bugs found get fixed .. sometimes they don't find any at all and it still remains... however.. GMAIL is still beta.. so you can't complain at all.. if you use gmail atleast ... (imho)

Serhat

thanks

This proofs ones more that xss hacks are dangerous and are more widely used, ebay had the same problem also a while back, just DON'T USE cookies because they are a real security risk.

I Never even knew about this bit of news... Good Information

I always thought a SessionID cannot be duplicated, as it expires when the user leaves the web server, thus meaning an attacker would have a time lapse in which he can "spoof" as the victim.

It would be more secure if everywhere made people login each and everytime. Although this would be a pain, I think it would be much more secure.

In the past few months i've seen far too many password catchers, etc.. If logins were never stored on the victim's machine, an attacker would have no motive to look for these passwords.

Once again, thanks for the information.

x1`

weird. i didnt realise that cookies could actually be that dangerous...

lol

btw isn't this long patched? gmail actually fixes it fast, unlike some others...

course its google

Teh sexy google

Lone, the reason it doesnt matter if you change your pw or not is because they still have the session id that makes them auto login to your account. It says it in the article:




- T

actually tshark had a point but it's not what lone is referring to here.

Lone what you are getting is emails from a worm (trying to infect you). It's a fairly common one going around lately, not sure the name tho, i should look it up.

And yeah, werd@ building this up for the news.. Just another xss vuln.