[ISN] Security hole found in Gmail

[InfoSec News]

http://net.nana.co.il/Article/?ArticleID=155025&sid=10

[This was covered on Full Disclosure here...
http://seclists.org/lists/fulldisclosure/2004/Oct/1155.html
http://seclists.org/lists/fulldisclosure/2004/Oct/1159.html  - WK]


Nitzan Weidenfeld
Nana NetLife Magazine
27/10/2004 

So you've got a Gmail mail account? Or maybe you've just received an 
invitation? Well, we have some bad news for you: Your mail box is 
exposed. A major security hole in Google's mail service, allows full 
access to user accounts, without the need of a password.

"Everything could get publicly exposed - your received mails might be 
readable, as well as all of your sent mail, and furthermore - anyone 
could send and receive mail under your name", thus reveals Nir 
Goldshlagger, an Israeli hacker, on an exclusive interview with Nana 
NetLife Magazine. "Even more alarming", he explains, "is the fact that 
the hack itself is quite simple. All that is needed of the malicious 
hacker, beside knowledge of the specific technique, is quite basic 
computer knowledge, the victim's username - and that's it, he's 
inside".

When approached, Google admitted to the security flaw. Google also 
assured us that this matter is being resolved, and that "the company 
will go to any length to protect its users".

The flaw which was discovered by Goldshlagger and was tested many 
times by Nana's editorial board had shown an alarming success rate. In 
order not to further jeopardize mail boxes' owners, we will only 
disclose that the process is based upon a security breach in the 
service's identity authentication. It allows the hacker to "snatch" 
the victims cookie file (a file planted in the victim's computer used 
to identify him) using a seemingly innocent link (which directs to 
Gmail's site itself). Once stolen, this cookie file allows the hacker 
to identify himself as the victim, without the need of a password. 
Even if the victim does change his password afterwards, it will be to 
no avail. "The system authenticates the hacker as the victim, using 
the stolen cookie file. Thus no password is involved in the 
authentication process. The victim can change his password as many 
times as he pleases, and it still won't stop the hacker from using his 
box", explains Goldshlagger.

Whether hackers have already used this method to compromise users' 
accounts is unclear at the moment.

Matters are several times worse when it comes to a service such as 
Gmail. Besides the obvious blow to Google's seemingly spotless image, 
we're looking here at a major threat to anyone who has turned to Gmail 
as his major email box. "Because Gmail offers a gigabyte of storage, 
several times bigger than most other web based mail services, users 
hardly delete any old correspondence", says Goldshlagger. "The result 
is a huge amount of mail accumulating in the users' boxes, which 
frequently include bank notices, passwords, private documents and 
other files the user wanted to backup. Who ever takes a hold of this 
data, could literally take over the victim's life and identity".

Ofer Elzam, a security expert for "Aladdin", who examined the security 
hole at Nana's Netlife request, explains: "This is a major threat, for 
the following reasons: First - the users have no way of protecting 
themselves. Second - it's quite easy to carry out, and third - it 
allows identity theft, which is nothing less than a serious danger to 
the victim".

"On the bright side", he adds, "its a good thing that this hole was 
found now, before the service was officially announced and offered to 
millions of users world-wide. I reckon it's just a matter of time 
before an automatic tool is made, which would allow even the less 
computer-savvy people to exploit this hack. The damage, needless to 
say, could be huge"

Is there a way, after all, to protect ourselves in the face of this 
danger? Elzam does not bear good news on the matter. "The only 
immediate solution that comes to mind is not using Gmail to store any 
messages or files that might be maliciously used. At least until 
Google attends to this problem"