Join 3,432 readers in helping fund MetaFilter (Hide)


Google falters? Can't be!
October 29, 2004 4:37 PM   Subscribe

GMail not-so-safe Mail. So apparentley GMail has a major exploit that's been discovered by an Israeli hacker. "Using a hex-encoded XSS link, the victim's cookie file can be stolen by a hacker, who can later use it to identify himself to Gmail as the original owner of an email account, regardless of whether or not the password is subsequently changed." And so the fun with GMail begins..
posted by mrplab (9 comments total)

 
Good. These are the kind of things one hopes to find in beta testing. Right?
posted by 327.ca at 4:39 PM on October 29, 2004


And by the way, more information here from the Israeli news source.
posted by mrplab at 4:40 PM on October 29, 2004


It sounds to me like in order to get hacked, you have to fall for a phishing-style thinger first. Pfff.
posted by neckro23 at 11:20 PM on October 29, 2004


Yeah, but it's still bad design -- something you wouldn't expect from Google.
posted by SpecialK at 11:32 PM on October 29, 2004


Yeah SpecialK me neither, but then again it was only a matter of pressure and time. Whatever man makes a person can take apart.
posted by Keyser Soze at 11:58 PM on October 29, 2004


True, but I'd expect them to have something obscure taken apart. I've got a more secure cookie-based authentication than that running for my webapps; they're not hard to code at all.
posted by SpecialK at 12:46 AM on October 30, 2004


(I mean, just a simple username/hash stored in a cookie that doesn't change over 2 weeks? Bad form. If you're going to keep an authentication token like that, it should change frequently, and be based on some facts that are on the server and stored on the user's machine just coincidentally. For instance, I store a serialized array with the user's login name in one field and a 60-charachter hash in the second. The hash is built off of the user's session record in the database that they're accessing; it's made up of the last time the hash was changed (about every 5 pageviews), the user's password, and some other bits of trivia. The server builds the hash, then retreives the hash from the cookie and compares the two. If they don't match, the user gets kicked back to the login screen. It's not bulletproof and unbreakable of course, but I've had people try ... and without hacking the server, it hasn't been broken. Yet, of course.)
posted by SpecialK at 12:51 AM on October 30, 2004


hash browns taste good
posted by ac at 8:31 AM on October 30, 2004


This just goes to show that Microsoft Google is not serious about user privacy, security or good software.

Hey, welcome to the big-leagues, boys. You're a bona fide target now! :)
posted by hincandenza at 3:19 PM on October 30, 2004


« Older Political Correctness: It's not just for Liberals ...  |  The new server's up... Newer »


This thread has been archived and is closed to new comments