[Dshield] Gmail Security Flaw?

Kevin Ottalini ottalini at mindspring.com
Sat Oct 30 11:47:55 GMT 2004

How serious is this exactly, and can anyone verify that google has a fix?

Gmail Security flaw

from: http://net.nana.co.il/Article/?ArticleID=155025&sid=10

So you've got a Gmail mail account? Or maybe you've just received an
invitation? Well, we have some bad news for you: Your mail box is exposed. A
major security hole in Google's mail service, allows full access to user
accounts, without the need of a password.

"Everything could get publicly exposed - your received mails might be
readable, as well as all of your sent mail, and furthermore - anyone could
send and receive mail under your name", thus reveals Nir Goldshlagger, an
Israeli hacker, on an exclusive interview with Nana NetLife Magazine. "Even
more alarming", he explains, "is the fact that the hack itself is quite
simple. All that is needed of the malicious hacker, beside knowledge of the
specific technique, is quite basic computer knowledge, the victim's
username - and that's it, he's inside".

When approached, Google admitted to the security flaw. Google also assured
us that this matter is being resolved, and that "the company will go to any
length to protect its users".

The flaw which was discovered by Goldshlagger and was tested many times by
Nana's editorial board had shown an alarming success rate. In order not to
further jeopardize mail boxes' owners, we will only disclose that the
process is based upon a security breach in the service's identity
authentication. It allows the hacker to "snatch" the victims cookie file (a
file planted in the victim's computer used to identify him) using a
seemingly innocent link (which directs to Gmail's site itself). Once stolen,
this cookie file allows the hacker to identify himself as the victim,
without the need of a password. Even if the victim does change his password
afterwards, it will be to no avail. "The system authenticates the hacker as
the victim, using the stolen cookie file. Thus no password is involved in
the authentication process. The victim can change his password as many times
as he pleases, and it still won't stop the hacker from using his box",
explains Goldshlagger.

Whether hackers have already used this method to compromise users' accounts
is unclear at the moment.

Matters are several times worse when it comes to a service such as Gmail.
Besides the obvious blow to Google's seemingly spotless image, we're looking
here at a major threat to anyone who has turned to Gmail as his major email
box. "Because Gmail offers a gigabyte of storage, several times bigger than
most other web based mail services, users hardly delete any old
correspondence", says Goldshlagger. "The result is a huge amount of mail
accumulating in the users' boxes, which frequently include bank notices,
passwords, private documents and other files the user wanted to backup. Who
ever takes a hold of this data, could literally take over the victim's life
and identity".

Ofer Elzam, a security expert for "Aladdin", who examined the security hole
at Nana's Netlife request, explains: "This is a major threat, for the
following reasons: First - the users have no way of protecting themselves.
Second - it's quite easy to carry out, and third - it allows identity theft,
which is nothing less than a serious danger to the victim".

"On the bright side", he adds, "its a good thing that this hole was found
now, before the service was officially announced and offered to millions of
users world-wide. I reckon it's just a matter of time before an automatic
tool is made, which would allow even the less computer-savvy people to
exploit this hack. The damage, needless to say, could be huge"

Is there a way, after all, to protect ourselves in the face of this danger?
Elzam does not bear good news on the matter. "The only immediate solution
that comes to mind is not using Gmail to store any messages or files that
might be maliciously used. At least until Google attends to this problem"

More information about the list mailing list