digg

Facebook Connect Join Digg About

Serious cross-site request forgery vulnerability found in Gmail

arstechnica.com A new vulnerability found in GMail makes it possible for a malicious web site to surreptitiously cause a GMail user's e-mail to be redirected to another address.

Who dugg this? Made popular Sep 28, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

52 Comments

show profanity settings
expand all
  • chris9902, on 10/10/2007, -3/+34Google have already fixed it.
  • Lorddias, on 10/10/2007, -1/+18So they want to steal me spam? They can have it!
  • pigg123, on 10/10/2007, -2/+10Seriously, for those whom are upset over these recent flaws in a web application, I must ask you, what is the difference between this and say the recent exploits found in Outlook / Outlook Express or any other email client?

    At least with a web application, the vulnerability is patched a lot quicker than say notifying the public that the application is vulnerable to attack, getting them to download the latest patch, applying it, etc.

    Google is not perfect.... no software ever is.
  • jacobmp92, on 10/10/2007, -0/+8Vulnerability: http://www.gnucitizen.org/blog/google-gmail-e-mail ...
  • theWaterboy, on 10/10/2007, -0/+6Um,.... how about your own personal email server?
  • Temp722, on 10/10/2007, -1/+7Wrong.
    Https will encrypt your traffic between your home and the gmail server. It can't protect you from CSRF/XSS.
  • sdmdj, on 10/10/2007, -6/+11google ftw.
  • DevlinD, on 10/10/2007, -1/+5Seriously when designing a system, especially one that is as large and complex as the Google platform of applications, you have no choice but to iterate based on user feedback. This goes for security as well.

    Developers obviously didn't knowingly leave the vulnerability in there, and testing can only cover so many scenarios. This is exactly why open source is always considered of higher quality than closed source - since a single company cannot possibly employee enough people to test every aspect of its product or service they rely on the wisdom and power of crowds.

    Google is the next best thing to open source in this respect I believe. They actually pay attention to what people are saying and make these suggestions and findings a high level importance, hence they get fixed quickly. I would like to see ANYONE in the world develop a system that is completely bug free (including security bugs) without having extensive testing and feedback from users. Its impossible. So anyone hear that thinks Yahoo or some other web based email (or system in general) is without its flaws, think again.

    Personally I have heard the least about Google's security flaws so in my book that makes them the best of the pack, and where I will keep my email.
  • simd, on 10/10/2007, -0/+3The vulnerability was fixed much more quickly than most client or server mail applications.
  • FKnight, on 10/10/2007, -2/+5Google fanbois burying your comment lol. Too bad it's true. They can keep their product marked BETA perpetually, and they'll have an unlimited supply of unpaid fanboys defending Google's right to have bugs in their software with the phrase "what do you expect? It's beta" while out of the other side of their mouth, they'll tell you that you should use it for your corporate mail.
  • shotgunefx, on 10/10/2007, -0/+3How about adding a lastlog to gmail, a panel that shows the last X number of logins and from where. For people who care enough to check, you'd have at least some peace of mind.
  • JohnnyXmas, on 10/10/2007, -0/+3HTTPS has NOTHING to do with this.
  • inactive, on 10/10/2007, -0/+2It's funny. I was talking about how google could end up doing alot of work for the government last night.
  • tigerpaper, on 10/10/2007, -0/+2but their company motto is 'don't be evil'...
    : /
  • ThatsUnpossible, on 10/10/2007, -1/+3"This is exactly why open source is always considered of higher quality than closed source - since a single company cannot possibly employee enough people to test every aspect of its product or service they rely on the wisdom and power of crowds."

    So what you're saying is something like Digg is "always considered of higher quality" than something like the NY Times, since NY Times is a single company, and digg uses the wisdom and power of crowds. Every article getting dugg up is better?
  • BillDoE, on 10/10/2007, -0/+2"Security researcher Petko Petkov has revealed a cross-site request forgery vulnerability in Gmail that makes it possible for a malicious web site to surreptitiously add a filter to a user's Gmail account that forwards e-mail to a third-party address."

    Awsome, I hope they like spam because thats what I use it for. Signing up for forums and other junk I know will spam me.
  • SocialPoison, on 10/10/2007, -2/+4http://www.google.com/search?q=outlook+exploits&ie ...

    Go to google, genius :P
  • gioma1, on 10/10/2007, -0/+1Analysis and defense: http://hackademix.net/2007/09/26/gmail_csrf/
  • FKnight, on 10/10/2007, -0/+1It's not very hostile at all. It is, however, it is pretty productive. And you can browse whatever the hell you want during lunch hour (unless it's illegal or pornographic)
  • trylleklovn, on 10/10/2007, -2/+3The difference? Gmail is free. (!)
  • iseth, on 10/10/2007, -1/+2So this is why they're still not dropping the "beta" from the name...
  • daridave, on 10/10/2007, -1/+2Hint: he was being sarcastic.
  • niviche, on 10/10/2007, -2/+3Has it? The article says " it is presently unclear whether or not the vulnerability discovered by Petkov has been fixed yet."
  • pw378, on 10/10/2007, -3/+4Gmail doesn't have spam... Or at least so little that I hardly noticed. Google Spam filters FTW!
  • inactive, on 10/10/2007, -0/+1Firefox + NoScript FTW once again. I can no longer imagine surfing without NoScript (and flashblock).
  • tek1024, on 10/10/2007, -0/+1I agree with your point—regarding what's newsworthy. The judgments of the hoi polloi about what makes serious, remarkable news is a qualitatively different scenario than multitudes of people pooling their resources and double-checking each other as they engineer a program with finite sets of viable configurations.
  • SocialPoison, on 10/10/2007, -2/+3Google is not perfect....
    BLASPHEMER!!
    BURN HIM!!!!
  • bradleyland, on 10/10/2007, -0/+1Exactly. CSRF attacks are pretty difficult to protect against. Well, not difficult, but the attack method is particularly nasty because the request actually comes from the user's PC, and if you're using persistent authentication (cookie based authentication), there's virtually no way to determine if the request is script initiated or user initiated. That is to say, a Javascript initiated request looks just like a user submitted request. It is an attack style that requires that your app use a less common authentication scheme.

    What is needed is better control of inter-domain requests from within scripting languages. You can attempt to do this on the server-side by checking the referrer, but you're still trusting information sent by the client PC.

    Right now, you're pretty much forced to rely on transient authentication methods, which are less common and less understood by your average programmer.
  • FKnight, on 10/10/2007, -1/+2Web based email (as well as tons of other types of sites that people shouldn't be going to at work) is blocked where I work because we use web filtering technologies, attached to proxy servers and access control lists using category based blocking and content inspection, etc. They can't even get close to tunneling traffic out of our network either to third party proxies or anything because we have a qualified networking and security staff. Every time I see a story on Digg on how to get around web filtering at work, I laugh because none of those techniques will ever work on our network.

    As far as DRM and unauthorized email, we have automated processes in place at every step of the way from email client (Outlook) all the way to our outbound SMTP servers that inspect content, sanitize it, and handle it based on business rules, including such things as preventing the recipient from even printing it.

    Oh, and it's all Microsoft, and it all works great.


  • cawpin, on 10/10/2007, -1/+1How exactly is web-based email blocked? They would have to block all port 80 traffic to truly block it. There is always a path if you can get to the web. And also, digital rights management? Are you talking about encryption?
  • LinuxKitty, on 10/10/2007, -0/+0They already do things for the government. Earlier today, I got this message when searching for something:

    In response to a legal request submitted to Google, we have removed 1 result(s) from this page. If you wish, you may read more about the request at ChillingEffects.org.

    Turned out that some site (I have no idea which one, I was searching for "images of god" while discussing a religious topic with someone) apparently had been objected to by some government agency of my country. I felt as if I was in China for a moment. I'm amazed that Google cooperates that willingly.
  • LinuxKitty, on 10/10/2007, -0/+0I'll take a Gmail exploit that is fixed within a few hours over malicious DRM any day.
  • picsectionpleez, on 10/10/2007, -4/+4gmail = Google knows your friends, your interests and private conversation
    Google Office = Google knows your work, school, thoughts, etc.
    Google search = Google knows what you are pursuing
    Google knows your life and once they become the government no one is going to think they're so cool anymore.
  • subliminalurge, on 10/10/2007, -1/+1So, until a fix is announced, all I have to do is check my settings and make sure there are no mysterious filters set up, and I can continue to use gmail with peace of mind.
  • picsectionpleez, on 10/10/2007, -2/+1Dude they ARE the government. It's not publicized because it's all about Google taking over the government and not the other way around. Notice how Google dictated to the government how that spectrum of airwaves was to be auctioned? Guess who's been building their own private Internet with data storage centers all over the nation? Did anybody see how the DOD announced a few weeks ago that the gov't needs to build its' on Internet again? So now Google is going to own the American net, control cell phones, store everyone's personal data, oh God I can't go on- I feel like a conspiracy nut just for seeing the obvious....
  • inactive, on 10/10/2007, -2/+1Google has?
  • brownster, on 10/10/2007, -1/+0Check out bluebottle.com, you can use the webmail (not so hot) but also free pop and smtp but with a very good anti spam tool, uses a confirmation request if the originator is not on your 'white list' of acceptable emails.
  • gomxgom, on 10/10/2007, -1/+0I'd hate to work at your company. Sounds like a very hostile place.
    Somebody there needs to read the Cluetrain Manifesto.
  • picsectionpleez, on 10/10/2007, -2/+1I would avoid gmail for reasons other than this.
  • FKnight, on 10/10/2007, -2/+1Yeah, RECENT, *****.
  • FKnight, on 10/10/2007, -3/+1Stupid comment system truncated my comment.
    The difference between this and client side email clients is that there is absolutely nothing an end-user or local corporate IT can do to prevent this from happening, and even one redirected email can spell doom for a business if it's the wrong email. Many companies, such as the one I work for, like to be in control and responsible for their own email security. Fortunately, where I work, web based email is blocked, and THANKS TO DIGITAL RIGHTS MANAGEMENT, unauthorized information can never leave this building over an Internet pipe destined for an unauthorized recipient.

    I'll take my corporate email any day.
  • thailand1972, on 10/10/2007, -3/+0I mentioned upthread that Gmail is getting like eBay - it has the attention of hackers just like eBay, who want information, not money. A lot of businesses are using Gmail accounts because they believe their data is safe. Except it isn't...Google aren't making money from Gmail - it's used to win over people into the Google brand, but for me it's no safer than Hotmail or Yahoo - all are web-based, all have similar vulnerabilities. Use client-side software, and let your firewall / mail server software deal with the hackers. Do it properly, or accept your emails are there to be read by all and sundry.
  • FKnight, on 10/10/2007, -4/+1Care to point out the "recent exploits in Outlook / Outlook Express?"
  • Philluminati, on 10/10/2007, -7/+4I'm seriously unhappy with google for these recent flaws which seem quite extreme. I use a forwarding address so I can drop my account in a heartbeat. I don't know how many more of these vulnerabilities I can pretend are acceptable. The only question is where could I go that was better (and not yahoo)?
  • thoughtbeans, on 10/10/2007, -12/+9Most of the Google products are still marked beta. This helps them keep all the bugs in the products forever.
  • caspy7, on 10/10/2007, -6/+3I always just make sure to use https instead of just http so it's secured.
    I'm assuming that would avoid this problem (someone tell me if I'm wrong).
  • thailand1972, on 10/10/2007, -9/+4GMail has too many vulnerabilities - these are not the only ones. Also it's becoming a bigger and bigger target to hackers. It's getting like eBay - whereas eBay is used by hackers to get money, hackers use GMail to get information.

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.