Gmail cookie vulnerability exposes user's privacy - Software - News - ZDNet Australia
Breaking News: Interpol defends voluntary filter

ZDNet / Google / Story

Gmail cookie vulnerability exposes user's privacy

By Liam Tung, ZDNet Australia on September 26th, 2007 
Submit

Petko Petkov of ethical hacking group GNUCitizen has developed a proof-of-concept program to steal contacts and incoming e-mails from Google Gmail users.

"This can be used to forward all your incoming e-mail," Pure Hacking security researcher Chris Gatford told ZDNet Australia. "It's just a proof of concept at the moment but what they're demonstrating is the potential to use this vulnerability for malicious purposes."

According to Gatford, attackers could compromise a Gmail account -- using a cross-site scripting [XSS] vulnerability -- if the victim is logged in and clicks on a malicious link. From that moment, the attacker can take over the session cookies for Gmail and subsequently forward all the account's messages to a POP account.

"If someone picks up on this before Google fixes it -- or if someone knew of the vulnerability before this guy published it -- this could be very damaging to Gmail users," he added.

The problem is potentially compounded by Google's policy of retaining cookies for two years.

"Once you've managed to snarf a cookie you can access [a user's] Gmail account without the password for the next two years," he said.

While the obvious risk is to the home user, many organisations could be exposed since they do not filter employee e-mails sent from work to personal accounts, he added.

IBRS security analyst James Turner told ZDNet Australia: "People do use private accounts to store work information. I've worked at one organisation where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal.

"In an ideal world, an organisation would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels -- Gmail and Facebook included."

One workaround is to use Gmail through Firefox and disable Javascript. While this limits user access to many components of popular Web sites, it will protect against the potential threat.

The power of cross-site scripting
Developers at Australian government and large enterprises are not aware of the power of cross-site scripting, said Pure Hacking's Gatford.

You might be interested in:

"In the last year or so, [XSS vulnerabilities] have been used by attackers to grab cookie values and therefore gain access to normally password protected sites," he said.

"When you have organisations like Google spending countless man hours reducing security vulnerabilities ... you can imagine how bad the actual situation is for other organisations," said Gatford.

Gatford advised organisations to use resources such as OWASP, which offers free tools to help write secure code and allow testing for XSS vulnerabilities.

Google was unavailable to comment at the time of writing.

Talkback

This is Cross Site Request Forgery (CSRF) *not* XSS.

cmlhcmlh January 9th, 2011
Report offensive content Reply (0) (0)
Add your opinion

In order to post a comment, you need to be registered. (Sign In or register below)

Post your comment

Terms of Service - As a ZDNet registrant, and by using this service, you indicate that you agree to our Terms and Conditions and have read and understand our Privacy Policy.

Resource Centre Useful content from our premier sponsors

ZDNet Australia Live

RT @zdnetaustralia: Vodafone sheds 30K more customers: http://t.co/bZtS82q9

FACEBOOK: Facebook admits it needs to fight scams more efficiently: By Emil Protalinski | February 9, 2012, 12:3... http://t.co/trTqRr1t

Ethical iPhone protests hit Apple stores: Daisey told ZDNet Australia that a first-hand trip to Foxconn saw him ... http://t.co/2FKFeSrZ

Optus attacked over council cable costs - Sutherland Shire Council is locked in a stalemate with Optus over the $110... http://t.co/vSc1IhbC

We'll build it, but will they come? http://t.co/0w28x1Ay

Why a $25 computer means revolution http://t.co/QMSqOLaq

We'll build it, but will they come?: I hate to rain on anybody's parade, but the New Zealand Government has unco... http://t.co/1vt5r0W1

by http://t.co/vmlQ0Ecb: We'll build it, but will they come?: I hate to rain on anybody's parade, but the New Zea... http://t.co/7dEGwqqF

Review: Chrome 17, faster than ever, more secure than ever. http://t.co/9HZCYssv

The end of an era as Kodak discontinues camera business http://t.co/dl7yyd7t

Optus attacked over council cable costs: Sutherland Shire Council is locked in a stalemate with Optus over the $... http://t.co/3kpAuwwD

Optus attacked over council cable costs: Sutherland Shire Council is locked in a stalemate with Optus over the $... http://t.co/Xv4IwDP9

Do more lax Australian #privacy laws hurt international business? http://t.co/Uo2t14TP #law

In only 3 months. Yowsers! (And I am one of them) RT @zdnetaustralia: Vodafone sheds 30K more customers: http://t.co/r1CArZg6 #vodafail

"BUT WE'RE SPENDING A BILLION DOLLARS TO BUILD A NEW NETWORK" RT @zdnetaustralia @Vodafone_au sheds 30K more customers: http://t.co/zbF32yQh

RT @zdnetaustralia: Vodafone sheds 30K more customers: http://t.co/hkaD9EeK

Sutherland Shire Council is locked in a stalemate with Optus over the $110,000 cost of a cable replacement http://t.co/zxYTZaJj

Won't that improve the service? RT @zdnetaustralia: Vodafone sheds 30K more customers: http://t.co/cZtRLzPJ

RT @zdnetaustralia: Vodafone sheds 30K more customers: http://t.co/hkaD9EeK

by http://t.co/vmlQ0Ecb: Optus attacked over council cable costs: Sutherland Shire Council is locked in a stalema... http://t.co/CIwHzp5S

Surely Vodafone knew this would happen... the customers certainly did! I jumped ship as soon as I could. http://t.co/ehCrfX2T

It's pretty funny that a local council would think a verbal agreement with Optus was sufficient. http://t.co/Nasa1I9t

Vodafone sheds 30K more customers: http://t.co/hkaD9EeK

RT @zdnetaustralia: Vodafone sheds 30K more customers: http://t.co/hkaD9EeK

RT @CTAspley: Apple set to announce the iPad 3 in early March http://t.co/yTZVTkE3

Ethical iPhone protests hit Apple stores: http://t.co/MjtFB4r7

RT @zdnetaustralia: Ethical iPhone protests hit Apple stores: http://t.co/MjtFB4r7

zvelo is in the news - PC Mag http://t.co/Tg5LCQF1 PC World http://t.co/vj9siTzR ZDNet http://t.co/jkeQ8NOt c|net http://t.co/eAM1Z9nX

RT @zdnetaustralia: Kodak discontinues camera business http://t.co/jqKWDFO7 < my very first camera was a Kodak instamatic

Apple set to announce the iPad 3 in early March http://t.co/yTZVTkE3

Interpol defends voluntary filter: ZDNet Australia http://t.co/ovXm1UHb (Badly, really.)

Aussie activists call for "ethical iPhone": Activists today gathered at the Apple Store in Sydney's CBD to deliv... http://t.co/KgfQQWdu

Aussie activists call for "ethical iPhone": Activists today gathered at the Apple Store in Sydney's CBD to deliv... http://t.co/zbKQLRhX

RT @zdnetaustralia: Why a $25 computer means revolution http://t.co/ufWQdLzT

RT @zdnetaustralia: Google is reportedly getting ready to take on Dropbox with its own cloud-based storage service http://t.co/qEoMRSk4

buy convert dvd to asf to your friends

1 hour ago by chatheli on 700MHz auction: The death knell for Aussie 4G?

Good article and some good comments guys. The lazy, monopolistic bullies that are bleating about this (TA, AFL, NRL, CA etc) need a reali...

1 hour ago by Progressive on More TV Now may mean less TV later

The Raseberry has a great role in automating heating and cooling systems, and in process control. Just get a few termisters along with an...

1 hour ago by lsatenstein on Why a $25 computer means revolution

invention these appreciate Every using after Numerous Not well ordering customer any custom route do make these current can consider of N...

3 hours ago by gurbapagnonna on Abetz shifted in reshuffle

I'd say a reasonable amount of it would be. In the Queensland Department of Education's case, it said it was trying to make as much of it...

4 hours ago by suzanne.tindal on The application nation

Great article, Suzanne—couldn’t agree more. It is only logical for organisations – private or public-- to take a long, hard look â€...

4 hours ago by kashe on The application nation

Every example of action against child molesters in this story related to internet protocols other than the www. This filter then achieves...

5 hours ago by Bob.H on Interpol defends voluntary filter

Soooo... it's okay for Apple to demand use of technologies and designs falling under competitors patents (considered "standards"), but on...

13 hours ago by MoWeb on Apple wants new rules for mobile patents

But I am having an intelligent conversation young fibes, my point is the lofty goal that all are equal is unfortunately not so. That is w...

15 hours ago by Doubt on NBN Co inks $620m satellite deal

May be so, but we do need to lighten up some of these people who are so serious. poor old fibretech nearly brings tears to the eyes and j...

15 hours ago by Doubt on Turnbull decries 'Rolls-Royce' satellites

The latest MS Windows update for XP tries hard to persuade you to update. For those machines that already have IE8 loaded it tries to re-...

15 hours ago by brak on Windows XP clings on as dominant OS

Will be interesting to see if he drives the qld gov political IT agenda or looks to address the IT challenges being faced by qld gov agen...

16 hours ago by Flly on Queensland's CIO returns to the post

So angry! NOKIA has forgotten the main purpose and the user function, and instead prioritised their industry level concerns. I bought my...

16 hours ago by spaceagesoup on Nokia skips Australia in Symbian Belle roll-out

I get what you mean in your context, meski. If the filter is like speed cameras, then people can alternately take side streets and back r...

18 hours ago by techkid on Interpol defends voluntary filter

Remind me again how people can get to a leadership position with absolutely no practical knowledge? I would ask Alexander how he intends...

18 hours ago by cleversoap on Internet won't always be anonymous: ITU

I was reading about DMARC at http://www.unlocktheinbox.com/resources/dmarc.aspx, perhaps they should try to implement something like this...

20 hours ago by wpfn on Phishing scam causes Telstra email woe

As you can tell, I'm a big follower. For AFL read NRL.

20 hours ago by phildobbie on The TV Now aftermath

Im not sure if David Gallop realises he now works for the AFL.

20 hours ago by katerich on The TV Now aftermath

That assumes that people see the stop sign. If you're using proxies, or whatever *all* the time, then these stop signs will never be obs...

21 hours ago by meski on Interpol defends voluntary filter

The advanced remote controlled machines reduce the human working rate from hazardous environment.

21 hours ago by Manasy on Robotic mining worth its high cost: Rio

This story has been voted 20 times in the last 24 hours!

2 days ago, Symantec confirms hacker extortion

This story has been voted 10 times in the last 24 hours!

2 days ago, Symantec confirms hacker extortion

Facebook Activity

Keep up with ZDNet Australia

LinkedinLinkedin Join our network

RSS FeedsRSS Feeds Subscribe now

NewslettersNewsletters Subscribe today

AlertAlertsSubscribe now

ZDNet Events Calendar

ZDNet Events Calendar

Plan Comparison

Prev Next
Loading...
Deals powered by WhistleOut

Sponsored resources