September 27, 2007 6:54 AM PDT

Gmail cookie vulnerability exposes user's privacy

Petko Petkov of "ethical hacking" group GNUCitizen has developed a proof-of-concept program to steal contacts and incoming e-mails from Google Gmail users.

"This can be used to forward all your incoming e-mail," Pure Hacking security researcher Chris Gatford said. "It's just a proof of concept at the moment, but what they're demonstrating is the potential to use this vulnerability for malicious purposes."

According to Gatford, attackers could compromise a Gmail account--using a cross-site scripting vulnerability--if the victim is logged in and clicks on a malicious link. From that moment, the attacker can take over the session cookies for Gmail and subsequently forward all the account's messages to a POP account.

"If someone picks up on this before Google fixes it--or if someone knew of the vulnerability before this guy published it--this could be very damaging to Gmail users," he added.

The problem is potentially compounded by Google's policy of retaining cookies for two years.

"Once you've managed to snarf a cookie, you can access (a user's) Gmail account without the password for the next two years," he said.

While the obvious risk is to the home user, many organizations could be exposed, since they do not filter employee e-mails sent from work to personal accounts, he added.

"People do use private accounts to store work information," IBRS security analyst James Turner said. "I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal.

"In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included."

One work-around is to use Gmail through Firefox and disable JavaScript. While this limits user access to many components of popular Web sites, it will protect against the potential threat.

Developers at many large enterprises are not aware of the power of cross-site scripting, said Pure Hacking's Gatford. "In the last year or so, (XSS vulnerabilities) have been used by attackers to grab cookie values and therefore gain access to normally password-protected sites."

"When you have organizations like Google spending countless man-hours reducing security can imagine how bad the actual situation is for other organizations," Gatford said.

Gatford advised organizations to use resources such as the Open Web Application Security Project, or OWASP, which offers free tools to help write secure code and allow testing for XSS vulnerabilities.

Google was unavailable to comment.

Liam Tung of ZDNet Australia reported from Sydney.

See more CNET content tagged:
Gmail, XSS, cookie, organization, vulnerability


Join the conversation!
Add your comment
Google has bugs!!!
OMG, though that could never happen. Welcome to the real world.
Posted by FutureGuy (742 comments )
Reply Link Flag
Oh, Pu-leeze.
Google invented the internet, and is capable of doing no evil. (Says so in their mission statement.) Leaving user data at risk is only done through incopmetence at best, but usually because a company is evil. It's true, I've read it on the internet, RIGHT HERE at Cnet.

Software doesn't all have bugs, just evil software does. Google can do no evil, therefore, no bugs.

*OR*, we could all just admit that all software has bugs, but that is SO not fun, it would paint a bad picture of <insert software religion icon du jour here>.
Posted by KTLA_knew (385 comments )
Link Flag
This is unique to Google?
Someone exploited a vulnerability in cross-site scripting to gain access to a Gmail account and it is Google's fault?

The same thing can't be done to gain access to any other web service?

What if I'm logged into my CNET account and I click on a malicious link that snarfs my CNET cookie? Is this possible or is this vulnerability exclusive to Google?

Less fear and more facts please.
Posted by Fat Drunk and Stupid (32 comments )
Reply Link Flag
Tell me it ain't so...Google can do no wrong...
Typical for a web app.
Memo to all CIOs out there that chose gmail:
Posted by fred dunn (793 comments )
Reply Link Flag
Typical comment for an IT monkey...
Fearing for his job. You might have to find real work if companies figured out they don't need to pay you to dick around with the Exchange server all day.
Posted by solrosenberg (124 comments )
Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.