Google Plugs GMail Security Hole
Google has fixed a security hole in Google GMail, its free invitation only 1GB web mail service. The Google Gmail security flaw allowed hackers to be able to log into a user’s GMail account with only having to know one’s username. Apparently a hacker could use a hex-encoded XSS link to steal the cookie file used by a GMail member to save their username and password on their own computer. The Register reports that a hacker “might later use it to identify himself to Gmail as the original owner of an email account regardless of whether or not the password is subsequently changed.”
There are currently no cases of the security hole being exploited by a hacker, and Google did a swift job of plugging the hole in their experimental email service before getting any security related bad press. Nana, the publication which broke the GMail Security hole story adds that “The flaw which was discovered by Goldshlagger and was tested many times by Nana’s editorial board had shown an alarming success rate. In order not to further jeopardize mail boxes’ owners, we will only disclose that the process is based upon a security breach in the service’s identity authentication. It allows the hacker to “snatch” the victims cookie file (a file planted in the victim’s computer used to identify him) using a seemingly innocent link (which directs to Gmail’s site itself). Once stolen, this cookie file allows the hacker to identify himself as the victim, without the need of a password. Even if the victim does change his password afterwards, it will be to no avail.”
“The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he pleases, and it still won’t stop the hacker from using his box”, explained Goldshlagger to Nana.
More from Nana:
Matters are several times worse when it comes to a service such as Gmail. Besides the obvious blow to Google’s seemingly spotless image, we’re looking here at a major threat to anyone who has turned to Gmail as his major email box. “Because Gmail offers a gigabyte of storage, several times bigger than most other web based mail services, users hardly delete any old correspondence”, says Goldshlagger. “The result is a huge amount of mail accumulating in the users’ boxes, which frequently include bank notices, passwords, private documents and other files the user wanted to backup. Who ever takes a hold of this data, could literally take over the victim’s life and identity”.