[ISN] Google plugs hole exposing Gmail mailboxes

InfoSec News isn at c4i.org
Tue Nov 2 03:51:51 EST 2004


By Joris Evers
IDG News Service
November 01, 2004

Google Inc. has fixed a security flaw in its Gmail Web-based e-mail
service that allowed attackers to hijack users' e-mail accounts.

"Google was recently alerted to a potential security vulnerability
affecting the Gmail service. We have since fixed this vulnerability,
and all current and future Gmail users are protected," Google
spokesman Nathan Tyler said.

Tyler declined to discuss the nature of the problem, but a source
close to Google confirmed that the flaw allowed an attacker to gain
complete control over a user's account.

The problem was in the way Gmail authenticated users. An attacker
could steal a so-called cookie file identifying the user by making use
of a seemingly innocent link to Google's own Web site, according to a
report on the Web site of the Israeli publication Nana NetLife

The cookie allowed an attacker to sign on to Gmail as the victim from
any computer without having to enter a password. The attacker would
continue to be able to access the Gmail account even if the password
were changed, according to Nana NetLife, which cited an Israeli hacker
named Nir Goldshlagger.

An investigation by Google found that only a handful of Gmail users
were victimized, the source close to the Mountain View,
California-based company said.

Google announced Gmail in April, grabbing headlines because of the 1GB
storage space provided with a Gmail account. The service is still
officially in beta testing and Internet users can only get accounts
after receiving an invitation from a current user. Google does not
disclose how many Gmail accounts it hosts.

More information about the ISN mailing list