Comments on: Google falters? Can't be!

Google falters? Can't be!

mrplab — Fri, 29 Oct 2004 16:37:21 -0800

GMail not-so-safe Mail. So apparentley GMail has a major exploit that's been discovered by an Israeli hacker. "Using a hex-encoded XSS link, the victim's cookie file can be stolen by a hacker, who can later use it to identify himself to Gmail as the original owner of an email account, regardless of whether or not the password is subsequently changed." And so the fun with GMail begins..

By: 327.ca

327.ca — Fri, 29 Oct 2004 16:39:13 -0800

Good. These are the kind of things one hopes to find in beta testing. Right?

By: mrplab

mrplab — Fri, 29 Oct 2004 16:40:18 -0800

And by the way, more information here from the Israeli news source.

By: neckro23

neckro23 — Fri, 29 Oct 2004 23:20:04 -0800

It sounds to me like in order to get hacked, you have to fall for a phishing-style thinger first. Pfff.

By: SpecialK

SpecialK — Fri, 29 Oct 2004 23:32:49 -0800

Yeah, but it's still bad design -- something you wouldn't expect from Google.

By: Keyser Soze

Keyser Soze — Fri, 29 Oct 2004 23:58:32 -0800

Yeah SpecialK me neither, but then again it was only a matter of pressure and time. Whatever man makes a person can take apart.

By: SpecialK

SpecialK — Sat, 30 Oct 2004 00:46:11 -0800

True, but I'd expect them to have something obscure taken apart. I've got a more secure cookie-based authentication than that running for my webapps; they're not hard to code at all.

By: SpecialK

SpecialK — Sat, 30 Oct 2004 00:51:36 -0800

(I mean, just a simple username/hash stored in a cookie that doesn't change over 2 weeks? Bad form. If you're going to keep an authentication token like that, it should change frequently, and be based on some facts that are on the server and stored on the user's machine just coincidentally. For instance, I store a serialized array with the user's login name in one field and a 60-charachter hash in the second. The hash is built off of the user's session record in the database that they're accessing; it's made up of the last time the hash was changed (about every 5 pageviews), the user's password, and some other bits of trivia. The server builds the hash, then retreives the hash from the cookie and compares the two. If they don't match, the user gets kicked back to the login screen. It's not bulletproof and unbreakable of course, but I've had people try ... and without hacking the server, it hasn't been broken. Yet, of course.)

By: ac

ac — Sat, 30 Oct 2004 08:31:21 -0800

hash browns taste good

By: hincandenza

hincandenza — Sat, 30 Oct 2004 15:19:30 -0800

This just goes to show that ~~Microsoft~~ Google is not serious about user privacy, security or good software. Hey, welcome to the big-leagues, boys. You're a bona fide target now! :)