The Hypocrisy Weblog

Google’s haused, in beta, webmail-service “Gmail” is vulnerable to a security exploit that might allow hackers full access to a user’s email account simply by knowing the user name, according to reports.

Israeli news site “Nana” writes that the security flaw allows full access to users’ accounts, with no need of a password.

Using a hex-encoded XSS link (Cross Site Scripting), the victim’s cookie file can be stolen by a hacker, who can later use it to identify himself to Gmail as the original owner of an email account, regardless of whether or not the password is subsequently changed.

Following up a tip from an Israeli hacker, several co-workers from the site confirmed the attack and verified the exploit with local security firm Aladdin Knowledge Systems.

Israeli news site Nana writes;
“Everything could get publicly exposed – your received mails might be readable, as well as all of your sent mail, and furthermore – anyone could send and receive mail under your name”, thus reveals Nir Goldshlagger, an Israeli hacker, on an exclusive interview with Nana NetLife Magazine.”

Nana continues to quote Nir Goldshlagger;
“”Even more alarming”, he explains, “is the fact that the hack itself is quite simple. All that is needed of the malicious hacker, beside knowledge of the specific technique, is quite basic computer knowledge, the victim’s username – and that’s it, he’s inside”.”

…and ends with;
“Matters are several times worse when it comes to a service such as Gmail. Besides the obvious blow to Google’s seemingly spotless image, we’re looking here at a major threat to anyone who has turned to Gmail as his major email box. “Because Gmail offers a gigabyte of storage, several times bigger than most other web based mail services, users hardly delete any old correspondence”, says Goldshlagger. “The result is a huge amount of mail accumulating in the users’ boxes, which frequently include bank notices, passwords, private documents and other files the user wanted to backup. Who ever takes a hold of this data, could literally take over the victim’s life and identity”.”

It’s unclear whether the hole has been maliciously exploited as of yet. Google has been notified of the issue and is reportedly working on a fix.

EDIT: Google now claimed to have fixed the problem.

My comment to all of this is that it is quite surprising that Google did not work harder in anticipating such a hack-method while working on their email-service, yet it is understandable that they didn’t see this one coming, as after all; Gmail is in beta.

After this security flaw has been fixed there are still major personal integrity issues to be dealt with, especially when it comes to PR-work. (applies to everything from their core-business; their search-engine to new additions such as the “Google Desktop Search” where Google still have failed to inform the press, and subsequently the public about which information is passed on to Google from the user’s personal computer system. Failure in doing so will endanger Google’s image as “the good company”.

Over and out…

Tags: Google

Technorati Tags: Google