Gmail Exploit May Aid Domain Hijacking
A vulnerability in Gmail that lets the bad guys access and manipulate filters in your Gmail account has once again reared its ugly head according to a recent post on GeekCondition.
The exploit, similar to the one David Airey was a victim of in December 2007 when his site was hijacked, caught our attention thanks to Philipp Lenssen's post this morning over on Blogoscoped. While the general consensus is that Google had fixed the vulnerability, turns out it's still there.
How the Gmail Exploit Works
It begins when you visit a malicious site while logged into Gmail. Whether the link is initiated through your Gmail account or not, the malicious site can access your internal credentials.
The malicious site then, unbeknownst to you, can create an automatic filter that diverts your e-mail to a different e-mail account. Given all this happens on Google's mail servers, you are none the wiser until you look at your filters. A detailed write up about this process is available at GeekCondition: Gmail Security Flaw Proof of Concept.
Along with gaining access to private messages, this exploit once in place compromises all future e-mails in your Gmail account. MakeUseOf points out that if your Gmail details are registered as the contact details for any domain registrations, your domain can be hijacked and held to ransom by the use of account recovery and password resetting tools on your domain host account without your knowledge.
The Timeline: What is Google Doing About This?
September 25, 2007
GNUCitizen's Petko D. Petkov suggested that Gmail has a security flaw and partially described the cross-site request forgery exploit.
September 28, 2007
GNUCitizen updated the post to include the proof of concept based on information that Google had fixed the flaw.
October 1, 2007
ZDNet published a post by Kaspersky Labs security evangelist, Ryan Naraine that stated the exploit had been patched, but still recommended, at Google's suggestion, that people check their filter lists because the patch did not remove filters that were already compromised.
November 20, 2007
David Airey's site is hijacked, redirected and held to ransom. Airey claimed it was the result of the Gmail exploit exposed by GNUCitizen in September.
November 2, 2008
The bad guys hijacked MakeUseOf's domain and redirected it to a parked domain. Editor-in-chief Aibek, confirmed the attack saying that the hackers gained access to the domain information by setting up a forward filter in Gmail.
What to do about it
Aibek, in a more recent post details the hijacking of MakeUseOf and offers four suggestions:
- Check your filters and disable IMAP
- Stop using Gmail as the contact e-mail for sensitive information (and change e-mail details on any current sensitive accounts)
- When registering domains, ensure you upgrade to private registration
- Don't open links in e-mails if you don't know the person they're coming from or log out first.
Geekamongus also recommends encrypting your browser connection, an option available on the main settings page in Gmail.
Remember, opening up a new tab, or even a new instance of a browser is ineffective and still leaves you open to attack. In a discussion over on YCombinator one suggestion for FireFox users is to use Gmail in a different browser profile. You could also consider using different browsers when logged into Gmail.
Clearly this is an ongoing problem but what isn't apparent is whether this is a new exploit or just the original that hasn't been resolved. Either way, you should make it a point of reviewing filters on all of your Gmail accounts to make sure the only filters in place are those that you created.
Here at RWW, we love Google's Gmail, and have written about it often. We've also discussed Google's lack of response to complaints, and the unfortunate things Google has done with Gmail in the past. However, we'd like to think e-mail security sits somewhere at the top of Google's list of priorities.
Of course, it wouldn't hurt if ISPs everywhere decided to offer private registrations as standard without an additional charge, but that's another story.
UPDATE:
Since publishing this post we have been in contact with a Google spokesperson who gave us this quote:
"We're trying to reach the blogger making this claim for more details, but we haven't seen evidence that this would be specific to Gmail -- we use standard industry methods for protecting cookies, similar to most web services using HTTP. In fact, we offer additional protection by offering the option of a secure connection (HTTPS) throughout the session for free."
Share
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
I would also recommend people use Firefox with the csrf protector addon https://addons.mozilla.org/en-US/firefox/addon/8996, this is designed to protect against these cross site request forgery hacks.
Since the patch by Google, has anyone been able to show that a security flaw still exists?
Posted by: michael.chelen.myopenid.com
|
November 23, 2008 9:03 PM
World of Warcraft Powerleveling
Insider is reporting that the 's 'tendrils' are already working their way south into the lands of Azeroth! The expansion is soon upon us, and already we're seeing signs of the coming expansion. Agents of Northrend http://www.iwowleveling.com
called Argent Healers have appeared in the Horde capital city of Orgrimmar and are most likely also making themselves known in the Alliance capital city of Stormwind. for this amazing disease-born world event!
Since the patch by Google
I think a great and easy solution would be for browsers like FireFox to offer the ability to open a new window/tab that doesn't share information by default. Each is completely independent of the other. And if you want to open a shared session across multiple windows/tabs, then you need to hit the special key at the same time (say middle mouse button and shift)...
Ugh.
I use gmail for everything. Changing certain things to a different email account seems like a daunting task.
Private registrations should be the default. We shouldn't have to pay extra to keep our personal information private.
the1_ts - Great idea. Thanks for the suggestion.
Michael - It turns out so. Google has given us a statement (above in the update), but I believe they are working on it.
Steph - what a great idea. Wonder if they can?
Kim - Exactly! :)
Just fyi, it looks like this had nothing to do with XSS or CSRF. Instead, the evidence points to phishing. The Gmail team did a post here: http://googleonlinesecurity.blogspot.com/2008/11/gmail-security-and-recent-phishing.html
clicker beware. all those pretty templates and no security. I just hope gmail doesn't do a MySpace and facebook and make warnings instead of really dealing with the issue. Warnings don't keep me from double clicking. btw... can you people name an example url that accesses a person's gmail?
Why the miss? One potential factor: The average MetroPCS customer is spending less money each month on service than it did a year ago.luis vuitton.The carrier's average monthly revenue per user dropped to $42.22, 3.5% less than the $43.75 that subscribers spent during Q1 2007. MetroPCS attributes the drop in spending to more people using family plans and certain features that used to cost extra being rolled in to standard subscription plans.