Serious Google Gmail flaw exposes sensitive user data |
 |
By Dennis Fisher, Executive Editor
27 Sep 2007 | SearchSecurity.com |
|
|
Google Inc. is facing some serious questions about the security of its applications after a researcher disclosed a flaw in its popular Gmail offering.
|
|
|
|
|
This is injecting scripts and being able to take over the user's mailbox. You can send emails, pull contacts, whatever.
Billy Hoffman,
lead researcher, HP Security Labs
|
|
|
|
|
|
|
|
|
|
The new issue is a variant of a cross-site scripting vulnerability in Gmail which could enable an attacker to silently forward emails and contacts from a remote user's account to any email account he chose.
The problem, discovered and detailed by GNUCitizen , a hacking group that tracks flaws in so-called Web 2.0 applications, arises when a user who is logged in to Gmail visits a malicious Web page with a special bit of code embedded in it. The page performs an action that injects a filter into the user's Gmail filter list.
The attacker can write whatever filter he chooses, a powerful capability in Gmail. An attacker could, for example, write a filter to pull every email from a specific sender or with the words "Bank of America" in the subject line, and have them forwarded to a remote mailbox. Once the filter is in place, it would work silently until the user noticed its existence. The attacker could also use the filter to pull contact information from the victim's address book, if he chose.
|
| Cross-site scripting attacks: |
Cross-site tracing vs. Cross-site scripting: Cross-site tracing, slightly different from cross-site scripting, can still do some significant damage to your Web applications. In this SearchSecurity.com Q&A, information security threats expert Ed Skoudis reveals how each attack is carried out.
How to prevent cross-site scripting: Learn how cross-site scripting, a common Web application attack, operates and what Web users and Web developers can do to protect against it, in this information security threats Ask the Expert Q&A.
What are the risks of social networking sites?: Social networking sites allow someone to post information that thousands of other users can read. But that's not at all. In this Q&A, information security threats expert Ed Skoudis reveals how sites like Myspace and Youtube let the bad guys post something dangerous. |
|
|
|
|
Security experts say this vulnerability, known as cross-site request forgery, is a classic example of the growing danger of cross-site scripting type flaws in a world where technologies such as AJAX and JavaScript are ubiquitous.
"This is not what we see with other cross-site scripting. This is injecting scripts and being able to take over the user's mailbox. You can send emails, pull contacts, whatever," said Billy Hoffman, lead researcher at HP Security Labs, based in Atlanta, and an expert on AJAX and Web security issues. "This shows just how dangerous cross-site scripting is. We're starting to see people take this more seriously because of the amount of AJAX that's being used on online banking sites and other sites. I think it's hitting a critical mass."
Petko D. Petkov, the researcher who found and disclosed the vulnerability, said Web-based flaws are now more serious in many cases than holes in packaged software applications.
"In an age where all the data is in the cloud, it makes no sense for the attackers to go after your box. It is a lot simpler to install one of these persistent backdoor/spyware filters," Petkov wrote in his description of the attack. "Game over! They don't own your box, but they have you, which is a lot better."
|
|
|
|
