Google has fixed a flaw in its Gmail Web based e-mail service after the problem was disclosed by a blogger, the company said Thursday.
The flaw could allow JavaScript code to run when viewing a message in Gmail, potentially allowing malicious code to be used by an attacker to compromise a Gmail account, according to a blogger who calls himself "Anthony."
The blogger, who claims to be a 14-year-old student, found the flaw when sending code from his Yahoo Web mail account to his Gmail account, he wrote on Wednesday. The Web log is hosted by Google's Blogger service.
Google fixed the flaw "very shortly after the initial blog post went up," a representative for the Mountain View, Calif., company said. "We learned of a minor security flaw in Gmail a little while ago and worked quickly to fix the problem, which has now been resolved," the representative said.
Because the vulnerability was fixed quickly, it likely never was exploited in any attacks, the representative said. Still, Google would have preferred to have been alerted to the flaw privately, instead of via a public blog.
"We encourage all vulnerability reporters to follow responsible disclosure practices and notify vendors first before making the vulnerability public," the representative said.
Flaws in online services are found regularly. Last December, Google fixed a security hole in the mechanism it uses to generate error pages for forbidden redirects and pages that don't exist on the Google Web site. The flaw opened the door to phishing scams, account hijacks and other attacks.
when i was 14 i began learning javascript. not exactly sure why he was sending it from one email account to the other though. it makes more sense that he was trying to find a flaw in the first place.
i can already imagine what the flaw was. an email with javascript code most likely was mistakingly used in the browser while inside the email instead of converting the code to unalterable text for display.
Kids are getting smarter and smarter these days, contrary to what the media would have you believe. One 14-year I worked with a few years ago had attained full Novell certification(Certified Novell Engineer)- on top of doing his regular high school curriculum. Yup, wrote and passed all the relevant Novell Netware exams. He became the de-facto Network Administrator for the school. Too bad he easily succumbed to peer pressure, and granted all his buddies admin privileges too.
And his peers were all 14-15 year old Linux hackers. A vendor plugged in their unix firewall appliance at the high school, and minutes later it was hacked to bits.
Just imagine - if they can do all this before even hitting puberty - how much more could they do years down the road?
I disclosed insecure script handling on Google's service.
The flaw was able to harvest millions of e-mail addresses.
The flaw was able to hi-jack entire groups
Compromise owner and moderator e-mail accounts
Leave a mailicious owner and moderator account in thousands of groups
Was disclosed to the major mailing lists in December 2005 as "Google is vulnerable from XSS attack"
50 to 80 days later, still was no fix.
Put the flaw on Digg.com as "Unpatched: Google attack vector" and the flaw was finally fixed, weeks after that.
Major delay for a flaw which is able to cause global consequence to spam and phishing in months and years to come.
Maybe the entire list of e-mail addresses should be put up on eBay?
Your corporate and consumer e-mail spam and phishing coming at you due to a javascript flaw thats "minor".
I wonder how much money will be made from the sale? eBay will be forced to pull the sale, but at least the timely sale will get media attention.
Regards,
n3td3v
The harvest is still continuing to this day because of the malicious owner and moderator accounts left on thousands of existing groups, which pick-up new members as they join a group.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
i can already imagine what the flaw was. an email with javascript code most likely was mistakingly used in the browser while inside the email instead of converting the code to unalterable text for display.
Kids are getting smarter and smarter these days, contrary to what the media would have you believe. One 14-year I worked with a few years ago had attained full Novell certification(Certified Novell Engineer)- on top of doing his regular high school curriculum. Yup, wrote and passed all the relevant Novell Netware exams. He became the de-facto Network Administrator for the school. Too bad he easily succumbed to peer pressure, and granted all his buddies admin privileges too.
And his peers were all 14-15 year old Linux hackers. A vendor plugged in their unix firewall appliance at the high school, and minutes later it was hacked to bits.
Just imagine - if they can do all this before even hitting puberty - how much more could they do years down the road?
The flaw was able to harvest millions of e-mail addresses.
The flaw was able to hi-jack entire groups
Compromise owner and moderator e-mail accounts
Leave a mailicious owner and moderator account in thousands of groups
Was disclosed to the major mailing lists in December 2005 as "Google is vulnerable from XSS attack"
50 to 80 days later, still was no fix.
Put the flaw on Digg.com as "Unpatched: Google attack vector" and the flaw was finally fixed, weeks after that.
Major delay for a flaw which is able to cause global consequence to spam and phishing in months and years to come.
Maybe the entire list of e-mail addresses should be put up on eBay?
Your corporate and consumer e-mail spam and phishing coming at you due to a javascript flaw thats "minor".
I wonder how much money will be made from the sale? eBay will be forced to pull the sale, but at least the timely sale will get media attention.
Regards,
n3td3v
The harvest is still continuing to this day because of the malicious owner and moderator accounts left on thousands of existing groups, which pick-up new members as they join a group.
Google Groups owned? You decide.
Let me just say, I am glad that I do not use Google Groups.