September 27, 2007 6:54 AM PDT
Gmail cookie vulnerability exposes user's privacy
- Related Stories
Google plugs account hijack holesJanuary 16, 2007
New year brings familiar security threatsJanuary 3, 2007
Google plugs Gmail data leak flawJanuary 2, 2007
Microsoft flags Gmail as a virusNovember 13, 2006
Google fixes 'minor' Gmail flawMarch 2, 2006
Gmail gets security upgradeDecember 2, 2005
Google fixes Web site security bugOctober 10, 2005
Gmail tries out antiphishing toolsApril 4, 2005
Gmail glitch yields access to messagesJanuary 12, 2005
Is Google the future of e-mail?April 12, 2004
- Related Blogs
Researcher: Web 2.0 vulnerable to cookie theft
August 2, 2007
Black Hat 2007 sees Web 2.0 repeating Web 1.0 mistakes
August 6, 2007
"This can be used to forward all your incoming e-mail," Pure Hacking security researcher Chris Gatford said. "It's just a proof of concept at the moment, but what they're demonstrating is the potential to use this vulnerability for malicious purposes."
According to Gatford, attackers could compromise a Gmail account--using a cross-site scripting vulnerability--if the victim is logged in and clicks on a malicious link. From that moment, the attacker can take over the session cookies for Gmail and subsequently forward all the account's messages to a POP account.
"If someone picks up on this before Google fixes it--or if someone knew of the vulnerability before this guy published it--this could be very damaging to Gmail users," he added.
The problem is potentially compounded by Google's policy of retaining cookies for two years.
"Once you've managed to snarf a cookie, you can access (a user's) Gmail account without the password for the next two years," he said.
While the obvious risk is to the home user, many organizations could be exposed, since they do not filter employee e-mails sent from work to personal accounts, he added.
"People do use private accounts to store work information," IBRS security analyst James Turner said. "I've worked at one organization where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal.
"In an ideal world, an organization would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels--Gmail and Facebook included."
Developers at many large enterprises are not aware of the power of cross-site scripting, said Pure Hacking's Gatford. "In the last year or so, (XSS vulnerabilities) have been used by attackers to grab cookie values and therefore gain access to normally password-protected sites."
"When you have organizations like Google spending countless man-hours reducing security vulnerabilities...you can imagine how bad the actual situation is for other organizations," Gatford said.
Gatford advised organizations to use resources such as the Open Web Application Security Project, or OWASP, which offers free tools to help write secure code and allow testing for XSS vulnerabilities.
Google was unavailable to comment.
Liam Tung of ZDNet Australia reported from Sydney.
6 commentsJoin the conversation! Add your comment