[ISN] Google patches Gmail security hole

InfoSec News isn at c4i.org
Fri Jan 14 03:14:48 EST 2005


By Matthew Broersma
JANUARY 13, 2005 

Google Inc. has fixed a bug in its Web-based e-mail service, Gmail,
that allowed users to read the contents of other people's messages.  
HBX Networks, a Unix community group, discovered the bug while testing
a Perl script intended to automate sending batches of newsletters.  
Messages sent to the group's own e-mail address contained HTML code in
the "Reply To" field, and this code turned out to be the message body
of other users' e-mail messages.

The problem appears to be caused by a missing > character in the
formatting of the "From" fields generated by the group's Perl script.  
"This, apparently, was enough to get GMail to provide us with some
portion of someone else's messages," HBX members wrote in their
analysis yesterday.

They speculated that the missing character caused Google's application
to read other data into this buffer -- a message that had been sent
recently, for example. In at least one case, the intercepted e-mail
contained username and password information, the group said.

"Regardless of the specific failure, the result is a compromise of the
privacy of communications over Gmail," the group wrote. "Message
content and address information are easily -- if somewhat randomly --
available to unintended recipients."

Google said the problem was fixed shortly after the HBX Networks
report appeared. "At 10:15 a.m. PST mails with the problematic
formatting as described in your previous story stopped being accepted
into Gmail. Previous e-mails that had this problem will also no longer
will be accessible. We appreciate your patience and we're sorry about
the bug," Chris DiBona, Google's open-source program manager, said in
an e-mail to the tech discussion site Slashdot. He urged users to
report security bugs to security at google.com.

HBX expressed concern that other such bugs might exist. "The
appearance of this issue, at the user level, probably indicates a
failure in GMail's code review and/or quality assurance standards,
which may result in other, similar errors," the group wrote.

While it is technically still in beta testing, Gmail has become one of
the most popular Web-based e-mail services since its launch in April
and has begun to come under the same scrutiny as other Google
services. Last month, for example, Google fixed a flaw with its
desktop search that could have allowed hackers to search the contents
of a PC.

Security problems are nothing new to Web e-mail. Last March, shortly
before Gmail's launch, IT security firm GreyMagic Software
demonstrated that scripts could be run in Hotmail and Yahoo Inc.'s Web
e-mail, bypassing scripting restrictions. Scripts embedded in e-mail
messages could have been used to steal passwords or spread worms,
researchers said. The problem has been fixed.

More information about the ISN mailing list