Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Gmail Accounts Vulnerable to XSS Exploit

michael posted more than 9 years ago | from the ooooooops dept.

Bug 232

mallumax writes "A security hole in GMail has been found (an XSS vulnerability) which allows access to user accounts without authentication. What makes the exploit worse is the fact that changing passwords doesn't help. The full details of the exploit haven't been disclosed. The vulnerability was reported by Israeli news site Nana. They were tipped off by an Israeli hacker. Google has been notified and they are working to close the hole. The Register has the story here."

Sorry! There are no comments related to the filter you selected.

Oh no! (5, Funny)

scaaven (783465) | more than 9 years ago | (#10667702)

My google stock. My poor google stock!

Isn't it... (2, Insightful)

Sheetrock (152993) | more than 9 years ago | (#10667703)

just a bit irresponsible to be coming out with this before Google has had a chance to fix it?

Re:Isn't it... (4, Insightful)

realdpk (116490) | more than 9 years ago | (#10667732)

No. Certainly not. People should be made aware of security issues. Especially for free services like this, where people have no guarantee they will ever be addressed.

Re:Isn't it... (4, Insightful)

LiquidCoooled (634315) | more than 9 years ago | (#10667760)

Its not like a local exploit where we can stop using it, or update ourselves.

This SHOULD get maximum exposure. Maybe then the heads in google will jump on this with all their PHDs.

As for not fixing it, I doubt thats an option. Such a monumental failure so start in their public offering will be devistating to them.

Re:Isn't it... (2, Insightful)

LiquidCoooled (634315) | more than 9 years ago | (#10667797)

I should clarify that apart from deleting all my mail and closing my account I can do nothing about it. I don't want to lose my account though, I *like* gmail, and certainly don't want to go back to the hotmail wasteground.

(and also look sheepishly at the grammatical screwup in my previous post)

Re:Isn't it... (1)

Taco John (771912) | more than 9 years ago | (#10667749)

I don't think so, people have a right to be warned about a problem. Now, it is irresponsible if you withheld anything from Google as they tried to fix the problem.

Re:Isn't it... (4, Funny)

moonbender (547943) | more than 9 years ago | (#10667755)

I guess they weren't kidding when they said it's still in beta...

Re:Isn't it... (1)

Jason1729 (561790) | more than 9 years ago | (#10667888)

It will always "still" be in beta for 2 reasons. One is so they don't have any liability when things like this happen; after all they never said it was stable or secure, it's a work in progress. Two is that they're getting a lot of data to build up a social network with their invite system. With the rate at which invites are made available it is practically open now, you just need a link for their social network to join.

Jason
ProfQuotes [profquotes.com]

Re:Isn't it... (4, Interesting)

bhtooefr (649901) | more than 9 years ago | (#10667922)

Actually, those aren't the primary reasons. A Google app can be perfectly stable, and still be in beta, because "beta" for Google means looking for a way to make money off of it.

Now, I don't have a problem with that at all. Also, I do agree that in this case, Google has GMail in beta for other reasons too (maybe not even the making money off it part - AdWords has been adapted to GMail, so they might already be making money off of it).

Re:Isn't it... (2, Funny)

downbad (793562) | more than 9 years ago | (#10668123)

It will always "still" be in beta for 2 reasons. One is so they don't have any liability when things like this happen; after all they never said it was stable or secure, it's a work in progress.
like every project on freshmeat and sourceforge. ;)

Re:Isn't it... (1)

xeon4life (668430) | more than 9 years ago | (#10667891)

The parent is the most insightful comment I've ever read on Slashdot...

Bravo...

Re:Isn't it... (3, Informative)

DaHat (247651) | more than 9 years ago | (#10667764)

Some might agree... others would say that if that was the case, Microsoft (and others) would never fix security holes if they are not known.

Re:Isn't it... (2, Informative)

a16 (783096) | more than 9 years ago | (#10667806)

Some might agree... others would say that if that was the case, Microsoft (and others) would never fix security holes if they are not known.

Yes - but the key is that you should give the company in question enough time to be able to get a fix out before releasing the issue to the public. I haven't been able to RTFA however unless Google have not taken any action after a reasonable timeframe (say a week) posting the issue on slashdot is not going to solve the problem any faster, and hence is just making more kiddies aware of this.

Keeping an issue you discovered 'secret' for a reasonable timeframe is the much more sensible option, you only need to go public if the issue is not fixed promptly.

Re:Isn't it... (0)

Anonymous Coward | more than 9 years ago | (#10667885)

I haven't been able to RTFA

Are you blind, illiterate, or just plain lazy? It's a 1/2 page article for crying out loud!

Re:Isn't it... (4, Insightful)

lukewarmfusion (726141) | more than 9 years ago | (#10667775)

Yes and no.

Yes - Google should have the opportunity to fix this appropriately, not racing against the slew of hackers, crackers, and script kiddies that want to exploit it.

No - People should aware of security risks in the software, hardware, etc. that they use and upon which they rely.

Personally, I prefer to inform the company of vulnerabilities and offer to help fix them. It's helped me land clients and discredit competitors.

BSD is of course completely secure, and has girls (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10667704)

IMPORTANT UPDATE: Please show your support [calcgames.org] for Ceren in this poll of Geek Babes!

Is it any wonder people think Linux [debian.org] users are a bunch of flaming homosexuals [lemonparty.org] when its fronted by obviously gay losers [nylug.org] like these?! BSD [dragonflybsd.org] has a mascot [freebsd.org] who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks [hope-2000.org] and gorgeous babes [hope-2000.org] then maybe it would be able to compete with BSD [openbsd.org] ! Hell this girl [electricrain.com] should be a model!

Linux [gentoo.org] is a joke as long as it continues to lack sexy girls like her [dis.org] ! I mean just look at this girl [dis.org] ! Doesn't she [dis.org] excite you? I know this little hottie [dis.org] puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox [spilth.org] . As you can see, no man can resist this sexy [spilth.org] little minx [dis.org] . Don't you wish the guy in this [wigen.net] pic was you? Are you telling me you wouldn't like to get your hands on this ass [dis.org] ?! Wouldn't this [electricrain.com] just make your Christmas?! Yes doctor, this uber babe [electricrain.com] definitely gets my pulse racing! Oh how I envy the lucky girl in this [electricrain.com] shot! Linux [suse.com] has nothing that can possibly compete. Come on, you must admit she [imagewhore.com] is better than an overweight penguin [tamu.edu] or a gay looking goat [gnu.org] ! Wouldn't this [electricrain.com] be more liklely to influence your choice of OS?

With sexy chicks [minions.com] like the lovely Ceren [dis.org] you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD [netbsd.org] if she [dis.org] told you to? Personally I know I would give my right arm to get this close [dis.org] to such a divine beauty [czarina.org] !

Don't be a fag [gay-sex-access.com] ! Join the campaign [slashdot.org] for more cute [wigen.net] open source babes [wigen.net] today!

$Id: ceren.html,v 9.0 2004/08/01 16:01:34 ceren_rocks Exp $

FP (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10667706)

Frost piss BITCHES!!!

dooy (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10667712)

OMFG have you seen the GMAIL 2 trailer it's like slow and it's telling you all the mail you sent in the first one then the music kicks in and and the geek comes out and gets an invite the inbox is on fire and geek is like fuck this im gonna go send an invite and HE SEND ONE TO A SPOOLER with angels singing and he lands on the spammer guys and that annoying scott richter guy is like GO GET EM TIGER! EMAIL IS ON TEH SPOKE!!!~`1 and theres less polys but rawkin bumb mappings you can view this on a special Gmail Invite that comes with a post modded down as "Troll".

Re:dooy (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10668035)

yuo=faggort.

Google needs to toss its cookies... (5, Informative)

LostCluster (625375) | more than 9 years ago | (#10667713)

The articles reveal that the basic design of the bug is to snatch the victim's cookie, and then the hacker can use that cookie to get into the account forever more. That cookie will always lead to the victim's account no matter what... even if they log out, even if they change their password, the cookie will still be valid authentication.

The XSS part is just an example of a way to steal the user's cookie. Clearly, any other way you can think of to grab a cookie file would work just as well.

It's a surprisingly bad design by Google standards. By assigning an forever-good cookie value each users account, it eliminates the need to re-login at home after using GMail at a public terminal, but the problem is if that cookie value ever falls into enemy hands the account is compromised and cannot be re-secured. Re-assigning the cookie value at each logon is the more traditional way of securing such things, although that means users who hop between more than one computer or even browser would have re-authenticate every time they changed.

Re:Google needs to toss its cookies... (4, Informative)

ArbitraryConstant (763964) | more than 9 years ago | (#10667733)

I don't believe they use a forever cookie, they use a cookie that's invalidated after you log out OR (optionally) a 2 week cookie.

What I don't like about it is that it doesn't use SSL after you log in.

Re:Google needs to toss its cookies... (5, Informative)

LostCluster (625375) | more than 9 years ago | (#10667767)

The cookie file gets invalidated... but the problem is if you log back in, instead of getting a new value in your new cookie, apparently you get the same old value again. And worse yet, even if you don't log in again, bringing back that old cookie from the dead is all that's needed to log in.

It's not the experation date on the cookie that's the problem, it's the fact that their database still assocates "your cookie" with your account even if there's no authorized cookie in circulation.

Re:Google needs to toss its cookies... (5, Informative)

kinema (630983) | more than 9 years ago | (#10667864)

What I don't like about it is that it doesn't use SSL after you log in.
Actaully if you enter "https://gmail.google.com/gmail" in the location bar of your favorite browser you will continue to use a SSL secured connetion after for the duration of your session.

Re:Google needs to toss its cookies... (0, Redundant)

arunkv (116142) | more than 9 years ago | (#10667877)

What I don't like about it is that it doesn't use SSL after you log in.

That's not true. You can use SSL all throughout. Simply start at https://gmail.google.com/gmail [google.com] or even just manually change it to https after login.

Re:Google needs to toss its cookies... (0, Redundant)

Ryan_Singer (114640) | more than 9 years ago | (#10667924)

If you goto https://gmail.google.com/ [google.com] it will stay SSL throughout the session.

Re:Google needs to toss its cookies... (0, Redundant)

Hen3ry (84528) | more than 9 years ago | (#10667927)

Well, it certain can use SSL after you log in. Just start with: https://gmail.google.com [google.com]

Re:Google needs to toss its cookies... (1)

slavemowgli (585321) | more than 9 years ago | (#10668018)

It doesn't automatically use SSL, but if you use https://gmail.google.com , you still get it.

doh (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10667714)

@gmail.com

Re:doh (1, Funny)

LiquidCoooled (634315) | more than 9 years ago | (#10667857)

Sorry, google only allows usernames with 6 characters or more.

Please enter a longer name, or choose from the following selection:

Dodiddleyoh@gmail.com
Dangdiddleydoh@gmail.com
ArghhhhDoh@gmail.com

Oh my god! (5, Funny)

Zangief (461457) | more than 9 years ago | (#10667715)

Maybe some hacker will make a program to break into every gmail account, read their mail, and send them ads about what people are talking about in mails!!!

Down with Israel (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10667717)

Israel is full of hackers, spies, and unsavory politicians.

Re:Down with Israel (-1, Troll)

lemonjus (717606) | more than 9 years ago | (#10667881)

You suck

wtf (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10667725)

this fucking gay ass.

dammit

XSS isn't that big a deal (1)

checkitout (546879) | more than 9 years ago | (#10667730)

Cross site scripting should not be considered a vulnerability.

Re:XSS isn't that big a deal (4, Insightful)

Sheetrock (152993) | more than 9 years ago | (#10667805)

Well, the problem is that we're looking at each individual XSS exploit as a vulnerability when we should be looking at XSS itself as an unwholesome feature in general.

Like when we started treating e-mail as a file transfer protocol, or when documents began to contain executable content, XSS gives an avenue of attack by adding a new and unrequested behavior to something that used to be secure. We need to reduce these channels of exploitation if computers are going to become secure -- especially as we head towards a homogenized environment on the Internet with regards to executable code (.NET/Java).

Re:XSS isn't that big a deal (5, Interesting)

phasm42 (588479) | more than 9 years ago | (#10667875)

XSS is not the real problem here. The real problem is that the cookie can be used to authenticate an account. If you get a copy of the cookie and take it to another machine, you could log on using that cookie, even after the cookie has expired. This is a poor design, and XSS is just one way to exploit this. Another would be to simply copy Mozilla's cookies.txt file, or whatever browser you use. Or to sniff out the cookie over the network and use it from then on.

Re:XSS isn't that big a deal (1)

gregduffy (766013) | more than 9 years ago | (#10667839)

Asshat. XSS is always a big deal. Stealing passwords, phishing, all kinds of things can be done with cross site scripting.

How can it not be a vulnerability? Anything that compromises the security of any system is a vulnerability of that system.

sweet grapes (5, Funny)

yahyamf (751776) | more than 9 years ago | (#10667744)

I waited so long to get a Gmail account, I don't care if it sucks now... I also like Doom3...

Re:sweet grapes (1)

miskatonic alumnus (668722) | more than 9 years ago | (#10668073)

People don't have to wait for an account anymore!

Why is this news? (-1, Redundant)

Anonymous Coward | more than 9 years ago | (#10667745)

Last time I checked Gmail was still beta with just a handful of people with accounts.

Re:Why is this news? (1)

over_exposed (623791) | more than 9 years ago | (#10667938)

Just a handful? Check again pal. Every week or so, I get six more invites to hand out and do so diligently. I've done this many many times. I know dozens of other people who do the same. Initially, a handful of people got accounts 0- probably several thousand... then they invites six buddies (or five buddies and made a spam account for themselves). Those five or six buddies invited five or six of their own... etc. etc. etc. I don't know hard figures, but there are very likely tens if not hundreds of thousands of GMail users, possibly more.

Oh no! Beta! (-1, Redundant)

Mr.Progressive (812475) | more than 9 years ago | (#10667748)

Well, to be fair, Gmail is still in 'beta'. This is the kind of thing beta is for, folks.

That's unpossible. (-1, Flamebait)

rubberband (731966) | more than 9 years ago | (#10667753)

but.. isn't google the infallible poster-boy for internet success? I have a gmail account and love it - I do have the impression though that alot of the success google enjoys is due to reputation. (Their services are great, too.. but you have to get people to use them, right?). Hope they fix it before it hits the media.

ermm.. reputation can either be gained.. (1)

Tracer_Bullet82 (766262) | more than 9 years ago | (#10668078)

through..

One : Good PR
Two : "Branding"
Three : User Satisfaction

Which one GOOG use?

Cookie file (1)

crow (16139) | more than 9 years ago | (#10667756)

So isn't the real issue that there are bugs that allow your cookie file to be exposed? Shouldn't those be considered critical security bugs regardless of what Google does?

I must do my part to help. (5, Funny)

teamhasnoi (554944) | more than 9 years ago | (#10667774)

The first person to fix the exploit will get a FREE GMAIL INVITE!

I got it (1)

headbulb (534102) | more than 9 years ago | (#10667810)

Don't Use gmail..

Can I have that invite now?

Just joking I already have a gmail account, as a sidenote gmail is the best free email service I have used.

Re:I got it (1)

the_2nd_coming (444906) | more than 9 years ago | (#10667842)

even better is freepops which is a POP3 proxy on your computer that has plugins to login and download all your mail from what ever service you like to what ever client you like.

makes G-mail much better, as well as hotmail and yahoo mail :-)

Re:I got it (5, Funny)

Anonymous Coward | more than 9 years ago | (#10667969)

Yeah, I agree. Your gmail account is the best mail I've ever used.

- Anonymous Cookie monster

Re:I must do my part to help. (2, Funny)

LiquidCoooled (634315) | more than 9 years ago | (#10667882)

I've already got a gmail account, can I have a free iPod instead ;)

Re:I must do my part to help. (1, Offtopic)

Weirdofreak (769987) | more than 9 years ago | (#10667899)

And I'll give one to the first person who can explain how somebody's going to fix it without an account.

No IPods or the like though. Nyer.

Re:I must do my part to help. (0, Offtopic)

wdconinc (704592) | more than 9 years ago | (#10667963)

Thank you, I sent it to myself ;-)

Danger, Will Robinson (0, Redundant)

d_jedi (773213) | more than 9 years ago | (#10667778)

Holy $!@#)( this is bad news. Let's hope the Google people resolve this very, very quickly.. or I'm switching e-mail providers (yet again).

Re:Danger, Will Robinson (0)

Anonymous Coward | more than 9 years ago | (#10667958)

Sorry to burst your bubble but no one cares about you enough to read your e-mail.

Re:Danger, Will Robinson (1)

kormoc (122955) | more than 9 years ago | (#10668070)

Welp, if you just don't click on random links from people you don't trust, you don't have a problem...

And btw, this method has come up with all the other free email providers out there as well, and gmail is in beta ya know? it's not expected to be bug free yet...

Other bugs?? (4, Interesting)

Anonymous Coward | more than 9 years ago | (#10667779)

Did anybody else notice when they were coming up with unique login names when they first set up their gmail account that oftentimes the "Blahblah@gmail.com is taken" message would often be some other email address somebody else was trying? I mean, if you tried "johndoe@gmail.com" and it was taken, sometimes it would respond with "joeschmoe1234@gmail.com is already taken, try again".

PSA: XSS cookie theft (5, Informative)

whovian (107062) | more than 9 years ago | (#10667793)

Never heard of XSS until now (like me)? Here is one summary one summary [cgisecurity.com] of what the cookie theft looks like.

Re:PSA: XSS cookie theft (0)

Anonymous Coward | more than 9 years ago | (#10667971)

Never heard of PSA until now (like me)? Here is zero summary one summary [tgforum.com] of what the prostate problem looks like.

Re:PSA: XSS cookie theft (0)

Anonymous Coward | more than 9 years ago | (#10668044)

public service announcement /fark.com

it IS a beta... (1, Redundant)

jathan88 (820298) | more than 9 years ago | (#10667795)

As the article points out, it's a good thing that this was found before Gmail went into "official" release. I think it's great that Google *admits* that the product is still in beta, instead of releasing it as is and pretending that it's a polished product.

Anybody who uses a beta product for critical email shouldn't be entirely surprised when they run into trouble...

Re:it IS a beta... (1)

YrWrstNtmr (564987) | more than 9 years ago | (#10667858)

Account security problems should be worked out long before public beta status. Beta should be reserved for functionality, GUI, and interoperability issues.

I wonder how many people are using this 'beta'?

Re:it IS a beta... (5, Informative)

RetroGeek (206522) | more than 9 years ago | (#10668083)

Beta should be reserved for functionality, GUI, and interoperability issues.

No that is alpha. Once all the functionality is complete, the GUI has been approved, and the application can talk to the other applications it needs to, THEN the product goes into beta testing.

Beta is there to locate any bugs which made it past the alpha testers. Beta apps are considered feature complete.

Re:it IS a beta... (2, Informative)

kormoc (122955) | more than 9 years ago | (#10668137)

oh like no other free email service has ever been caught with their pants down *cough*hotmail*cough*. Least this isn't that likly to happen...

Re:it IS a beta... (5, Insightful)

buzzini (177741) | more than 9 years ago | (#10667878)

Labeling something "beta" almost indefinitely should not be a get-out-of-jail-free card. It seems to me that once a product is in fairly widespread use -- once a product has a marketing plan behind it -- saying "no fair, it's a beta!" is a little disingenuous.

Re:it IS a beta... (0)

Anonymous Coward | more than 9 years ago | (#10668001)

It's not just any beta at that. It's a public beta.

Re:it IS a beta... (0)

Anonymous Coward | more than 9 years ago | (#10668050)

Hard to use the beta argument when they pass out invites like there was no tomorrow. Everyone I know has a Gmail account and now it's getting to the point where it is hard to give out all the invites I get because almost everyone that wants want already has one.

Re:it IS a beta... (0)

Anonymous Coward | more than 9 years ago | (#10668105)

though it is in beta this particular vulnerability is not a bug but a design flaw that shouldnt have made it beyond the design review phase. If you are finding design flaws during beta testing it doesnt say much about the design and the design review process.

Is it really forever? (1)

RealAlaskan (576404) | more than 9 years ago | (#10667803)

The Nana article says that it works by stealing your cookies, so I don't think the problem should last longer than two weeks, since that's how long the Gmail cookies are supposed to be good for.

I've been using the Gmail account for stuff I could afford to lose, since there doesn't seem to be any way to shift it in bulk to my home computer. Now I'm really glad I didn't use it for anything important.

see... (0)

mbonig (727002) | more than 9 years ago | (#10667808)

this is what happens when you let a major coorporation run an email system based on closed-source softwa.. [ducks]

Re:see... (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10667834)

Hey, weren't you the guy offering gmail invites on the GNAA posts? Why don't you post some of those on this story so interested readers can take advantage? It would be ontopic afterall.

MOD PARENT DOWN (0)

Anonymous Coward | more than 9 years ago | (#10667932)

this guy has been posting all sorts of GNAA shit and fake gmail invites.. if you dont believe me just search his name

In other news... (0)

Anonymous Coward | more than 9 years ago | (#10667811)

Real protocols like IMAP4 still secure when using proper authentication and SSL.

Need more than just the username (5, Informative)

Dominic_Mazzoni (125164) | more than 9 years ago | (#10667818)

I may be misinterpreting the story, but it sounds to me like you need more than just the username: you need to actually trick the user into giving you their GMail cookie by phishing. Obviously, this is a huge security hole and Google should fix it immediately, but it's not quite the same as the Hotmail backdoor from last year, which didn't require phishing at all. As long as you don't ever click on a link that sends you to GMail from an untrusted source, you should be safe.

Re:Need more than just the username (1)

contagious_d (807463) | more than 9 years ago | (#10667883)

Yeah, I was about to make the same comment. It seems like the seriousness of this was hyped up to make the news agency look better.

Good thing they are still in beta. (5, Funny)

bill_kress (99356) | more than 9 years ago | (#10667856)

They caught this problem in beta, just as should be done! Bravo!

Brings some true professionalisim to an industry where companies actually ship/sell products with bugs like this all the time.

Re:Good thing they are still in beta. (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10667966)

They can call it beta all they want, but they obviously want people to use it as their primary e-mail account now. Just because they call it beta, doesn't exempt them from responsibility when they put their product out on the open market.

cookies are the root of all evil (0, Troll)

psbrogna (611644) | more than 9 years ago | (#10667890)

I've always been opposed to cookies. There's practically no reason why state control should be put on the client side. It's virtually impossible to secure a site that exposes variables client side. Anything you can do with a cookie can be done with a GUID context ID paired w/server side variable store.

The only argument for cookies is tracking a user between sessions (ie. to satisfy the evil marketing weenies). If browsers would just generate a GUID during installation and then have that be part of the HTTP stream there'd be no reason for cookies at all. Be a good idea to have some sort of trapdoor hash function to prevent browser GUID spoofing also.

Re:cookies are the root of all evil: Addendum 1 (1)

psbrogna (611644) | more than 9 years ago | (#10667920)

Context ID's of course have to be validated so they're invalidated if used from an IP other then the one they were created for.

Re:cookies are the root of all evil: Addendum 1 (1)

B2382F29 (742174) | more than 9 years ago | (#10667977)

Great, now get that working for dynamic IPs ...

Re:cookies are the root of all evil: Addendum 1 (1)

psbrogna (611644) | more than 9 years ago | (#10667983)

IP's that change in the middle of a session?! Well that would suck. I've never run across that.

Re:cookies are the root of all evil: Addendum 1 (1)

psbrogna (611644) | more than 9 years ago | (#10668004)

Wait, I have. AOL and some foreign satellite access providers but not lately- it's been a couple of years.

Re:cookies are the root of all evil: Addendum 1 (0)

Anonymous Coward | more than 9 years ago | (#10668058)

Great, now get that working on a shared connection like at work where hundreds of computers have the same external IP address

Re:cookies are the root of all evil: Addendum 1 (1)

psbrogna (611644) | more than 9 years ago | (#10668108)

The purpose of the IP validation is to prevent it working when a link gets out in the wild (for example, 3rd Party Insecure Toolbar X sends it off somewhere without your knowledge, somebody hacks your shortcuts, etc)

You still have to know the context ID. If you're giving your URL (with the context ID) to somebody with the same IP address as you odds are you want it to work for them anyway.

MOD PARENT IDIOT (0)

Anonymous Coward | more than 9 years ago | (#10668079)

How would this solve this problem? So I steal your GUID... same thing!! dummmy

Now everybody,not just Google,can read your email! (0, Troll)

VidEdit (703021) | more than 9 years ago | (#10667900)

Well, now, since everyone who uses GMail already lets Google read their mail, what's the difference if a few Hackers get a hold of your account? Oh sure, they could read your spam and your Slashdot subscription notices, but email is plaintext anyway! Anybody with a packet sniffer can read your email. As for sending e-mail in your name, spamers already do that now and few duffers can tell the difference.

Re:Now everybody,not just Google,can read your ema (5, Funny)

iMaple (769378) | more than 9 years ago | (#10668042)

what's the difference if a few Hackers get a hold of your account?

You know its not just as simple as you think. I mean I dont care if a few hackers read my email, but what if they decide to use sensitive info in it or delete it.

I run an e-business from Nigeria and earn some money in the process. People email me their bank account numbers, creditcard numbers ,SSNs and what not (I am creative). Now if some immoral hacker got hold of that data , the poor users would be duped twice, and I would feel really bad abt it (I mean I could have got twice the money myself if I wanted). So I request Gmail to help the Nigerian revolution and our fight against AIDS and dictators and fix the bug as soon as possible.

Easy Fix: (5, Insightful)

thesandtiger (819476) | more than 9 years ago | (#10667915)

1) Gmail plugs the hole.

2) They change the cookie validation test script in this case to require a different cookie than ones that were being given while the exploit was active.

3) When a counterfeit cookie (or any of the old cookies) tries to validate it's immediately seen as invalid, and the user is then made to login.

Of course, if someone already got at your stuff, well, that's bad.

Re:Easy Fix: (1)

thesandtiger (819476) | more than 9 years ago | (#10668056)

Forgive the self reply - I meant to say:

1) Gmail plugs the hole by: changing the cookie validation etc. etc. etc. Not that they plug the XSS hole.

2) Should be what #3 was.

3) Profit!

That sound you hear.... (1, Funny)

Anonymous Coward | more than 9 years ago | (#10667944)

We forgive you google, we wuv google, googie does no wrong, WE FORGIVE U GOOGIE!!!

I wuv you too /. (1, Funny)

Anonymous Coward | more than 9 years ago | (#10668090)

"We forgive you google, we wuv google, googie does no wrong, WE FORGIVE U GOOGIE!!!"

Thanks /.! Rest assured that your little darling is sorry for this collossal blunder! I will try harder next time not to expose every single bit of information that you store in me.

And thanks for not crucifying me the way you did Hotmail and others. Seriously, I appreciate all your double-standards, really I do. Now I can be just as exploit-ridden as Samba, OpenSSL, and Firefox and still know that you will always put a spin on it and somehow blame M$.

I wuv you too /.
Signed,
Your Googlie Woolgie

Nana? Anan? (1)

tsager (196659) | more than 9 years ago | (#10667952)

No no no, they got it all backwards!

(I bet they meant liamG to be vulnerable)

Israeli hackers? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10667953)

The Jews are trying to hack open Google for Yahoo IMHO.

Wives (5, Funny)

mekanizer (823259) | more than 9 years ago | (#10667954)

Time to read our wives e-mail to see if they are cheating or something.

Re:Wives (0)

Anonymous Coward | more than 9 years ago | (#10668062)

I'm not worried about that... I keep my wife happy :P Can you say the same?

Re:Wives (1, Insightful)

Anonymous Coward | more than 9 years ago | (#10668131)

It's easier to tell than that. For instance: is she spending the week-end with a "friend"? Leaving Friday night and coming home late Sunday "too tired" to do anything? Is this occurring every week-end?

Does she go out drinking with this same "friend" 2-3 times per night? Every week? Often drinking at fetish clubs or going to swinging events, again with this same "friend"?

Those are much easier signs to look for than snooping through e-mail :-)

Hmmm.... (0, Troll)

spicy salsa (826249) | more than 9 years ago | (#10667973)

I actually think the Hotmail backdoor was fairly similar to this (you used a login form on a site other then Hotmail.com and you did not have to enter a password).

Free Flat Screen HERE! [freeflatscreens.com]

Well this would have been.. (2, Interesting)

Tracer_Bullet82 (766262) | more than 9 years ago | (#10668020)

news to me, if I could access the damn accounts.

had to tell people to revert to my old e-mail, since invariably I cannot open it.

Crossing my fingers, these issues will be solved in beta.

Not a real problem. (4, Insightful)

NotoriousQ (457789) | more than 9 years ago | (#10668039)

No worries! Remember it is still a beta. It is not like anyone will use this for a serious purpose.

mo3 up (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10668043)

UsEr. 'Now that Simple solution

off topic : gmail invites (0, Offtopic)

peeledback (649168) | more than 9 years ago | (#10668064)

I have 6 ? anybody want? send an email to peeledback ...at..@!#..punkass.com
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?