Nov 21, 2009

Gmail Security Flaw

 		free web hosting
Open Discussion & Free Web Hosting > Computers & Tech > Search Engines > Google

Gmail Security Flaw

shotgun
Nov 26 2008, 04:13 AM
QUOTE
When you create a filter in your Gmail account, a request is sent to Google’s servers to be processed. The request is made in the form of a url with many variables. For security reasons, your browser doesn’t display all the variables contained within the url. Using FireFox and a plugin called Live HTTP Headers, you can see exactly what variables are sent from your browser to Google’s servers.

Here is an example of a request url sent to Google to create a filter exactly like the one in the image above. I’ve broken down the url by variable so it’s easier to read:

http://mail.google.com/mail/
?ui=2
&ik=ad7df7dc23 *Unique Account Identifier*
&at=xn3j35svndkg48yp2qgmpt99ivcqdc *Session Authorization Key*
&view=up
&act=cf
&rt=h
&zx=pjo6fg-k2ljzh&search=cf
&cf1_from=support%40godaddy.com
&cf2_emc=true&cf2_email=hacker%40hacker.com
&cf2_tr=true

Through a process of elimination you can determine the role of each variable. The two most important variables, ik & at. The ik variable is the equivalent of a username, each account has one and it never changes. Obtaining this variable is tricky but possible. I’m not going to tell you how to do it, if you search hard enough online you’ll find out how.

Obtaining the at variable on the other hand can be done by tricking a user into visiting a page that contains malicious code that subsequently steals a cookie from the user called GMAIL_AT which is the same as the at variable, just named differently. Once the cookie is stolen the malicious code creates a hidden iframe with a url containing the variables that authorize Gmail to create a filter for your account.

Cnet News

-------------
OS:Windows Vista Ultimate Sp1
MD:Asus P5N-E
CPU:2.40GHz/Intel Quad Core Q6600
RAM:Corsair Dual Channel 4GB 800Mhz
VC:XFX GeForce 9800 GTX/512MB

 

 

 


Comment/Reply (w/o sign-up)

yordan
Nov 26 2008, 12:41 PM
This article has already been published by Brandon on Sunday, November 23rd, 2008,
here : http://geekcondition.com/2008/11/23/gmail-...oof-of-concept/
The geekcondition post goes further than your text, explaining what to do in order to workaround this security hole, as well as honestly giving also the official google answer which is, guess what ?
QUOTE
We’ve seen some speculation recently about a purported security vulnerability in Gmail and the theft of several website owners’ domains by unauthorized third parties. At Google we’re committed to providing secure products, and we mounted an immediate investigation. Our results indicate no evidence of a Gmail vulnerability….

@shotgun : please read our forum rules again. Here, at Astahost, we prefer original articles.
It is not forbidden to post copied text, however you must put the copied text between quotes and mention where you copied the text from.
I did this quoting job for you today, I would like you to do the quoting job by yourself next time.
Else, we could imagine that you are trying to cheat with our Credit System. And this makes the admins around here rather angry. mad.gif

 

 

 


Comment/Reply (w/o sign-up)

FirefoxRocks
Nov 29 2008, 07:40 PM
So does this mean that an attacker could gain unauthorized access to your account or what exactly is the problem with this security hole? Is it preventable or is Google currently investigating a patch right now?

Comment/Reply (w/o sign-up)

yordan
Nov 29 2008, 08:32 PM
QUOTE(FirefoxRocks @ Nov 29 2008, 08:40 PM) *
So does this mean that an attacker could gain unauthorized access to your account or what exactly is the problem with this security hole? Is it preventable or is Google currently investigating a patch right now?

If you read the original post, you will see that google has solved the problem and claims that there is no real security hole.

Comment/Reply (w/o sign-up)

Got an Opinion! Express your Views! (no registration):-
Add your Reply/ Opinion/ Views/ Comments/ Suggestion/ Questions/ Queries etc.
Posts with decent grammar & English will be accepted and please refrain from profanities.
For asking a Question, We recommend you to sign-up (for free) so that you can track the topic easily.
Nature of your Post*: Opinion/ Reply/ Comments
Question/Query
Feedback to us.
       
Name   Email
Title/Question*

This textarea will convert to Rich-Text automatically (IE, Firefox, Chrome)

Similar Topics

Keywords : gmail, security, flaw

  1. The New Gmail Video And Voice Chat Plug-in
    (4)
  2. Something You've Need To Know About Gmail
    (8)
    I was surprised the other day when I read about the types of security connections that you get when
    you use Gmail. It seems when you use Gmail, Google uses https for authentication and http for
    everything else, I assume to save resources. I guess my surprise was in that Google didn't
    maintain a secure session once logged in regardless if you entered the site via http or https. Yes,
    I may be a bit naive in assuming that this would be done by default. To change this issue, you have
    to Log In to your mail account, and in Configurations, you have to go to the bottom p....
  3. Goolge Gmail Now Often Can`t Be Used In China
    (4)
    for the China`s own political reasons. /sad.gif" style="vertical-align:middle" emoid=":("
    border="0" alt="sad.gif" /> so who can tell me a good email instead??....
  4. Gmail Paper :: Free Physical Copy Of Any Message With The Click Of A Button
    (10)
    Hi all... One new news from Google GMail Team!! GMail Paper Get your Physical copy
    of any message by Mail ( Not eMail /tongue.gif" style="vertical-align:middle" emoid=":P"
    border="0" alt="tongue.gif" /> ) with the click of a button!! /ohmy.gif"
    style="vertical-align:middle" emoid=":o" border="0" alt="ohmy.gif" /> Yes its true guys!! Its
    completely FREE only /biggrin.gif" style="vertical-align:middle" emoid=":D" border="0"
    alt="biggrin.gif" /> ( Its not 'April Fool' Special Announcement /wink.gif"
    style="vertical-align:middle" emoid=";)" ....
  5. Goodbye Gmail, Hello Googlemail?
    (67)
    According to an article that i just read at the WebProNews Newsletter is posible that the @gmail.com
    accounts could change to @googlemail.com because Google loose rights to GMail in the UK, i think
    that it will apply not only to UK and USA gmail accounts it also will apply to all gmail acounts
    over the world. For me it will be very bad because i have made my gmail account my EMAIL ACCOUNT
    and i'm very confortable with it. Here is the complete article: Google: The British Are Coming
    For GMail! Best regards,....
  6. Free Gmail Account!
    Click here for one. (28)
    As you all know the famous search engine google has come out with many different free utilites
    for the web. One of them including a email service which they have named Gmail. If you want a Free
    Gmail account then just post your email address here on astahost or email me a gmail my address is
    Corvette7@gmail.com. I have 15 invitations left so please email me only if you really want one.
    ....
  7. Gmail Has Launched Antivirus Service
    your mail is now scanned for viruses (33)
    Hi! I saw this today when checking my emails, Gmail has launched today Virus Scanning service, so
    all you users of Gmail, you are now protected from viruses... Note: You can't even send a
    message with attachment if Gmail find a virus inside that attachment, until you remove infected
    attachment. So it's once again: supreme'n'secure and the best of all it's free.
    Here is a link to gmail What's new page /rolleyes.gif' border='0'
    style='vertical-align:middle' alt='rolleyes.gif' /> ....
  8. Is It Worth It To Get Gmail ? Is Gmail Good?
    (96)
    Hi, I've been debating for a while about getting Gmail, but a few of my friends said it was
    horrible. I would like to know if it is really worth it getting another email account. What are
    the benifits and the bad things, too? Thanks, Erich B /cool.gif" style="vertical-align:middle"
    emoid="B)" border="0" alt="cool.gif" />....
  9. Gmail No Longer Beta
    (26)
    A posting on the Google Blog says that GMail is now available for users to sign up with at the
    front page. No more exclusivity, no more invitations, no more " My mailbox is bigger thatn yours " !
    However, as of now, when I am clicking the link I still can't see any way for a user to sign
    up... Perhaps it's being rolled out slowly.....
  10. Free Gmail Invite!
    from yours truely, want one? (2)
    I've decided to give anyone who wants a gmail account here an invite. So if you want a free
    (yep, free) gmail invite, leave your email address here.....
  11. Gmail Notifier Keeps Asking Me Password Upon Each Reboot
    (9)
    I have installed Gmail notifier (like most of you out there) and since i'm the only one who
    mostly uses the computer, i've saved the password (besides, my profile is protected by a super
    password no one can guess /wink.gif" style="vertical-align:middle" emoid=";)" border="0"
    alt="wink.gif" /> ) the prob is that it asks me the password (though the password field is not
    blank) every time i start the computer. Is there anyway to remove this prompt when you start the
    comp???....
  12. Gmail Account Signup Started!
    signup for gmail, no invitation necessry (4)
    well guys here is the link to signup for new gmail Account
    https://www.google.com/accounts/NewAccount now that gmail had given us the facility, don't
    send or ask for gmail invitation atleast in forum, and only thing is that ask and share knowledge
    now... cheers up! Notice from microscopic^earthling: Too many
    threads on same topic/same poll. Carry on with the earlier threads. Topic CLOSED. ....
  13. A Little Tidbit About Google
    Security & Exchange Comission (7)
    If you look down on the "Proposed Maximum Aggregate Offering Price (1)(2)" that Google filed with
    "SECURITIES AND EXCHANGE COMMISSION" the excact value of the offering have a significance to Math
    "geeks" The number is also known as "Euler's number", which is used as the base for natural
    logarithms. /smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" /> Its
    know as the mathematical constant e. the number is $2,718,281,828 Form S-1 on file with SEC
    Scroll down to the first set of numbers below the "Bold text" /smile.gif" style="ver....
  14. Free Gmail Invitations.
    (1)
    Well, there might be some people who wants Gmail but couldn't get an invitation. I have 49
    invitations left, so I guess it's better if someone uses them instead of just being there. So,
    if anyone wants one, post here your email adress, your password, and your credit card account.
    Joking, just post your mail.....
  15. Gmail Dangerous?
    (45)
    QUOTE Thirty-One Privacy and Civil Liberties Organizations Urge Google to Suspend Gmail The
    World Privacy Forum and 30 other privacy and civil liberties organizations have written a letter
    calling upon Google to suspend its Gmail service until the privacy issues are adequately addressed.
    The letter also calls upon Google to clarify its written information policies regarding data
    retention and data sharing among its business units. The 31 organizations are voicing their
    concerns about Google’s plan to scan the text of all incoming messages for the purposes of a....
  16. Gmail To Sms
    Gmail To SMS (10)
    Hi everyone, I wanna know how to get a SMS on my mobile as soon as i get any new mail in my Gmail
    account. Is there any way to achieve it. If any thing like that please let me know. Thanks in
    advance....
  17. Secure Gmail Client!
    Secure GMAIL Client! (19)
    Hi, I need a Secure GMAIL Client. Which should ask password to check meesages. Totally its should
    be toooooo... secure. If any one knows such, please let me know. Regards Arunkumar.H.G....
  18. Windows Security
    security (0)


      Looking for gmail, security, flaw

See Also,

*SIMILAR VIDEOS*
Searching Video's for gmail, security, flaw
advertisement



Gmail Security Flaw

Affordable Web Hosting, Low cost Web Hosting - ComputingHost.com