Gmail exploit may allow attackers to forward e-mail
Updated November 24 at 10:10 a.m. PST: Adds comment from Google representative.
A Gmail security vulnerability may allow an attacker to set up filters on users' e-mail accounts without their knowledge, according to a proof of concept posted Sunday at the blog Geek Condition.
In a post, Geek Condition's "Brandon" writes that the vulnerability has caused some people to lose their domain names registered through GoDaddy.com.
Without posting the full exploit, Brandon explains that it relies on obtaining the variables that represent the username and "at":
When you create a filter in your Gmail account, a request is sent to Google's servers to be processed. The request is made in the form of a url with many variables.
For security reasons, your browser doesn't display all the variables contained within the URL. Using Firefox and a plug-in called Live HTTP Headers, you can see exactly what variables are sent from your browser to Google's servers.
After that, an attacker just needs to identify the variable that is the equivalent of the username.
"Obtaining this variable is tricky but possible," he writes. "I'm not going to tell you how to do it; if you search hard enough online, you'll find out how."
The "at" variable can be obtained by visiting a malicious Web site, writes Brandon, who suggests that Google make the "at" variable expire after every request rather than after every session.
To avoid being a victim of the vulnerability, users should check their filters often, Brandon suggests. Firefox users can download an extension called NoScript that helps prevent these attacks, he said.
Of course, any Web site that uses cookies for authentication requests can be taken advantage of in the same way. To avoid becoming a victim to this type of exploit, Gmail users should log out of their accounts when they are not in use, and--of course--not visit Web sites they don't trust.
A Google representative said the company was trying to contact Brandon for specifics on his proof of concept.
"We're trying to reach the blogger making this claim for more details, but we haven't seen evidence that this would be specific to Gmail," the representative said. "We use standard industry methods for protecting cookies, similar to most Web services using HTTP. In fact, we offer additional protection by offering the option of a secure connection (HTTPS) throughout the session for free."
Steven Musil is the night news editor at CNET News. Before joining CNET News in 2000, Steven spent 10 years at various Bay Area newspapers. E-mail Steven. 
And from a phishers perspective, a much better way of getting information without actually stealing the account.
I guess the most obvious, and easiest, way Google could combat this would be to improve on the already fairly useful "Last activity" feature.
If any settings were changed in the past 5 sessions with Gmail, always show it, highlighted if they have to.
And with the Detail window, have a tree structure of activity per session, maybe even have an undo next to applicable items.
It would be pretty helpful IMO.
And yes it's an exploit, but one that depends on tricking the user into giving you that information without their knowledge. Not very effective.
- by Palaminopony November 28, 2008 1:42 AM PST
- Was checking the spam and found my gmail account being used as a front for 3 spammers... ???
- Like this Reply to this comment
-
(9 Comments)fijfel1988@westworld
.com
Varun-musaeus@intehp
last.ru
irduzrov_1987@778sof
tware.com