26
Nov
by VineetNo Comments »

GMail Vulnerabilities

Today while going through Indiatimes Infotech, I found out a scary yet interesting news at the site. The info is about the vulnerabilities & security flaw in GMail (Google Mail, Powered by Google). Being myself a gmail user is kinda horrifying & threatening.

A Geek blogger named Brandon at his post in Geek Condition made a post telling about the security flaw in Gmail. According to Brandon because of this flaw many people have already lost their domains registered with GoDaddy (Domain Registrar).

The security flaw in Gmail allows a hacker to forward GoDaddy account reset information by the victim without his/her knowledge or consent.This is done by creating a filter that forwards GoDaddy’s `change of password’ mail to the hacker and deletes it from users’ inbox. This sounds really wacky.

Brandon shows how he would do it if he was to be a Blackhat. When a user creates a filter in Gmail account, a request is sent to Google servers to get it cleared. The request is in form of a URL with many variables that the browser doesn’t display. However, web browser FireFox and a plugin called Live HTTP Headers, displays exactly what variables are sent to Google servers.

In the process of elimination, the role of each variable can be ascertained. A particular variable is equivalent to the username which is permanent. Other variable can be determined by tricking the user to visit a web page that has a malicious code. This malicious code steals the cookie from the user and creates an iframe with a URL containing the variables that authorise Gmail to create filter for the user’s account.

There are also solutions to this flaw from user end.

Firefox users can download an extension called NoScript that helps prevent such hacks, suggests Brandon. And always remember being cautious can help you save from many such attacks.
It is also suggested that you should log out your Gmail if it is not in use.
Also avoid visiting websites which you don’t trust.
According to Brandon to avoid such vulnerabilities, Google needs to device a mechanism which makes variables or session authorisation Key expire after each request than expiring after each session.

Meanwhile spokesperson from Google said that they are trying to reach the Blogger and get more info as well as proof of Brandon’s concept and his authenticity.

Source:Indiatimes Infotech Post by Brandon

enjoyed this post? share with others:

twitter stumble upon digg

This entry was posted on Wednesday, November 26th, 2008 at 3:29 pm and is filed under Google. You can follow any responses to this entry through the RSS 2.0 feed.

leave a comment