Bullseye on Google: Hackers expose holes in GMail, Blogspot, Search Appliance

Bullseye on Google: Hackers expose holes in GMail, Blogspot, Search Appliance

Summary: In the past few days, there have been multiple disclosures of security vulnerabilies in a wide range of Google products, including a persistent e-mail theft issue affecting the widely used GMail service.


Hackers expose holes in GMail, search appliance[ UPDATE, October 1, 2007:  Google has issued a fix for this issue.  It's important that you check your filters to ensure your mailbox isn't compromised ]

Google's security model is not holding up very well to scrutiny from hackers.

In the past few days, there have been multiple disclosures of security vulnerabilities in a wide range of Google products, including a persistent e-mail theft issue affecting the widely used GMail service.

The unpatched GMail bug, which was demonstrated for me by hacker Petko D. Petkov, is particularly nasty because of the way the exploit works without any user action and the fact that it's difficult for the average GMail user to know that e-mails are being stolen.

The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim's filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

The attack technique is known as cross-site request forgery (CSRF) and has haunted Google in the past. Earlier this year, the company was forced to correct a similar flaw after details leaked out on an issue that put GMail contact lists at risk.

Google Search Appliance users at risk:

Hackers expose holes in GMail, search applianceSeparately, a Romanian security researcher has published details of a cross-site scripting bug affecting users of the enterprise-facing Google Search Appliance.

Mustlive, the hacker behind the Month of Search Engine Bugs project, published a proof-of-concept and a Google dork to demo the attack -- and expose businesses using the search appliance.

Google (Blogspot) Polls vulnerability

A third issue has been disclosed at Beford.org to show how a cross-site scripting bug in Google's Blogspot Polls could allow the hijacking of sensitive information.

The 'font' parameter was not being sanitized before being used inside an STYLE tag, so you could inject IE's expression() and Mozilla's -moz-binding.

Several proof-of-concepts -- this one hijacks your Google contacts, this one intercepts incoming GMail -- are publicly available. (IMPORTANT NOTE: clicking on those links while logged into Google Accounts might not be such a good idea).

An exploit against Picasa

Google's Picasa photo-sharing software and Web service is also vulnerable to an exploit scenario that uses a combination of cross-site scripting, cross-application request forgery and URI handler weakness to steal photographs from the victim's hard drive.

Technical details of the Picasa issue have been released by Billy Rios and Nate McFeters.

Finally, there's a cross-site scripting bug in Google's Urchin Analytics service that can be exploited to steal user credentials. An explanation of this vulnerability has been published by Adrian Pastor.

Topics: Browser, Collaboration, Google, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • The more widely something is used

    the more likely to become a target of hackers. Good thing not many run Linux.
    • Re: Good thing not many run Linux

      Google Does!!!
    • Yeah. It means my Linux

      boxes are so much safer than my Windows boxes. Thanks for pointing that out.
      • Careful what you wish for

        Many of you Linux zealots here often advocate Linux for its safe environment, prodding Windows users to dump Windows for Linux. If No_Axe_2_Grind knows what he is talking about, when he says [b]"Good thing not many ppl use Linux"[/b], then that goes to show that it isnt because Linux is better why it safer, it is simply because hackers are not interested in it - because there arent enough users of it to make it thrilling. That said, as soon as we Windows users go along with your prodding, the hackers too are going to prod-along.

        Did I say "'We' windows users"?
      • No, you are wrong, as the grinder...

        No, it means your Linux box is safer than your MS Windows box becouse it has safer default values when installed.
        It's not becouse there are fewer Linux boxes that are up for hackers (more public web sites run 24/7 on Linux then on MS Windows). I mean, known sites that are possible to look up through DNS and to search for (MSN, Google etc) must be better targets than clients machines that is up 4-8 hours 5-7 times a week, if security between the systems is at same level.
    • not necessarily true

      Here's a related Tech Republic blog fresh on 9/12/07.

      Open source will always be far less vulnerable than proprietary goods. Quick points:

      The vast majority of vulnerabilities will be discovered (and near simultaneously fixed) by the white hats.

      News and information about problems in the open source world flies fairly fast as it is now, this will only get better as the community grows.

      Fixes will come far more swiftly and reliably than from proprietary vendors, articles abound. (and lest we forget Micr0$oft "secret updates:" http://blogs.techrepublic.com.com/tech-news/?p=1189 )

      Linux has powerful monitoring, filtering, security etc, and related capabilities. As it is now, the tools are all over the place and are somewhat confusing for the average user. With a growth in Linux deployment, a potentially profitable software niche might finally bring out the emergence of true "all in one" Linux "security center" type apps, heavy on the GUI sauce of course. Swifter security updates and a one-stop place to view/modify any of the vast array of present capabilities, presented comprehensibly such that anybody can see and know everything their box is up to.

      That'll make for an even less vulnerable world. I see the idea as to make the white hat side of the community the 800 lb. gorilla sitting on the 'net. Strength in sheer numbers. I do believe it'll happen.

      That's my take on the issue, similar to author Chad Perrin, which both seem to dispel the argument that Linux isn't as viri and worm laden because of it's low exposure.

      I remind the greater number of servers are Linux, and the internet itself runs at it's core on Unix.
      • One - that is opinion about open source...

        not really proven yet. However, all of the above kind of makes you wonder about - hey I have Google Apps, and my sensitive info is on that...who can see it let alone steal it... I have no idea, but it kind of makes you wonder.
        • Hm. Where did google came into OSS?

          What does Google mail and search has to do with Open Source Software? Other than it's designed in a way that gives problems in any web browser that has google apps users logged in at the same time as other web sites.

          They are as secret about there applications as MS Windows (no really, they do releases some parts as OSS, but not the search engine or web mail applications)
  • Firefox/NoScript


    Install Firefox and NoScript add-on--it strips out the JavaScript exploits.

    Also, don't leave yourself logged into Gmail from your browser--a good email client on your localhost such as KMail will fetch with POP3 and SSL securely and thanks to the excellent Gmail spam filters leave the spam behind.

    Never mind what No_Ax says. ;)

    This isn't a 'Linux' issue.
    D T Schmitz
    • Good advice

      NoScript is one plugin I would gladly purchase. It stomps on cross-scripting, web bugs, redirects, all kinds of unpleasantness.

      One of these days I want to figure out a batch file that will launch my apps at a certain time, collect all my email, and pop a browser with four or five standard windows. I can do all the steps individually, now for the batch file that ties them all together so it's sitting there waiting for me when I get downstairs.

      One of the promises of computers was automation. Seems to me much of the automation has been task focused. I want to start focusing on automating user environments. I'd love to walk into the office and find my computer up and ready to go to work. The information I browse routinely already waiting.
  • Use gmail basic, skip the bells and whistles.

    To be really secure, I disable javascript and simply use gmail basic. Most people can live without the bells and whistles such as chat etc within gmail.
  • RE: Bullseye on Google: Hackers expose holes in GMail, Blogspot, Search Appliance

    Google should give a closer look on this. They soon have to find ways to counter all these threats and protect users data.
  • yep web 2.0 trust the big boys with your data right like ax said

    yep web 2.0 trust the big boys with your data right lie ax said the when something get enough users the vale of security comes crashing down.

    and yes goggle uses Linux. all there stuff is built on open source.
    SO.CAL Guy
    • Actually, some of their Google applications are written

      ... in Visual Basic and/or Visual Studio.
      Confused by religion
      • nonsense!

        That's absolute rubbish! Googgle's entire infrastructure is built on non-Microsoft technology. There's no way they are using Visual Studio or VB to create their sites. That's just a shameless attempt on your part to transfer some blame to MS.
      • sorry milly you need to get your facts striat they do not use VB or VS you

        sorry milly you need to get your facts striate they do not use VB or VS you need to get off the FUD train
        SO.CAL Guy
      • Are they

        Some of the desktop applications might, I don't know. But I would be suppriced if their web site applications is.
  • Sounds like Google...

    needs some new programmers. While Google got lucky with their search page, we're now seeing the true Google. Not much quality here.
  • RE: Bullseye on Google: Hackers expose holes in GMail, Blogspot, Search App

    How much does tabbed browsing impact the first flaw? Does "The victim visits a page while being logged into GMail." mean that the hack would work if e.g. I would log into my GMail account, then browse to an infected site in another tab?
  • Have you tried the plugin "Morning Coffee"?

    It's for Firefox - you can set it by day of week to open all of your frequently browsed sites in different tabs - all in one click, so when you open your browser and click - there you are. It's cool.