p2pnet.net News:- A major security hole in Google’s mail service allows full access to user accounts – without the need of a password, states Israel’s Nana NetLife Magazine.

“Everything could get publicly exposed – your received mails might be readable, as well as all of your sent mail, and furthermore – anyone could send and receive mail under your name, it quotes hacker Nir Goldshlagger as saying.

“Even more alarming”, he told Nana, “is the fact that the hack itself is quite simple. All that is needed of the malicious hacker, beside knowledge of the specific technique, is quite basic computer knowledge, the victim’s username – and that’s it, he’s inside.”

Nana says Google admit there’s a flaw and, “also assured us that this matter is being resolved, and that ‘the company will go to any length to protect its users’..”

An earlier flaw has been security hole has been fixed, promises Google.

Software developer Jim Ley, who maintains the comp.lang.javascript FAQ, announced the flaw on his weblog, “But nobody noticed. Ley’s email message to security@google.com bounced. He looked in vain for a security hotline number,” says The Register, continuing:

“On Tuesday he demonstrated an ingenous potential application of the bug: a phishing exploit that announced that Google was becoming a subscription service, and invited the victim to enter their credit card details. Still no response.

“Google finally sat up and took notice after the vulnerability was posted on the Security Focus BugTraq mailing list. Google couldn’t explain why it didn’t have a working email or phone contact for security alerts, but according to Jim, seemed anxious that he remove the phishing example.”

“The exploit has been public for over 2 years, and google have been informed on multiple occasions,” says Ley.

===================

UPDATE: - An IDG News Service story says the Gmail hole has been plugged.

"We have since fixed this vulnerability, and all current and future Gmail users are protected," Google spokesman Nathan Tyler is quoted as saying.

"Tyler declined to discuss the nature of the problem, but a source close to Google confirmed that the flaw allowed an attacker to gain complete control over a user’s account," says the report

===================

See:-
security hole - NetLife Exclusive: Security hole found in Gmail, Nana NetLife Magazine, October 27, 2008
earlier flaw – Google finally fixes Desktop security vuln(erability), The Register, October 21, 2004
over 2 years – Google Script Insertion Exploit, BugTraq, October 19, 2004

This entry was posted on Saturday, October 30th, 2004 at 3:28 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1997 times