Gmail cookie vulnerability exposes user's privacy

Gmail cookie vulnerability exposes user's privacy

Summary: Petko Petkov of ethical hacking group GNUCitizen, has developed a proof-of-concept program to steal contacts and incoming e-mails from Google Gmail users.

SHARE:
TOPICS: Google, Security
1

Petko Petkov of ethical hacking group GNUCitizen has developed a proof-of-concept program to steal contacts and incoming e-mails from Google Gmail users.

"This can be used to forward all your incoming e-mail," Pure Hacking security researcher Chris Gatford told ZDNet Australia. "It's just a proof of concept at the moment but what they're demonstrating is the potential to use this vulnerability for malicious purposes."

According to Gatford, attackers could compromise a Gmail account -- using a cross-site scripting [XSS] vulnerability -- if the victim is logged in and clicks on a malicious link. From that moment, the attacker can take over the session cookies for Gmail and subsequently forward all the account's messages to a POP account.

"If someone picks up on this before Google fixes it -- or if someone knew of the vulnerability before this guy published it -- this could be very damaging to Gmail users," he added.

The problem is potentially compounded by Google's policy of retaining cookies for two years.

"Once you've managed to snarf a cookie you can access [a user's] Gmail account without the password for the next two years," he said.

While the obvious risk is to the home user, many organisations could be exposed since they do not filter employee e-mails sent from work to personal accounts, he added.

IBRS security analyst James Turner told ZDNet Australia: "People do use private accounts to store work information. I've worked at one organisation where this was implicitly expected, because the mail server at the time was so unreliable. But that scenario is certainly less than optimal.

"In an ideal world, an organisation would be able to draw a line in the sand and say that corporate data does not pass this point. The current reality is that there are Gen-Y workers who are sharing information with each other on multiple alternative communication channels -- Gmail and Facebook included."

One workaround is to use Gmail through Firefox and disable Javascript. While this limits user access to many components of popular Web sites, it will protect against the potential threat.

The power of cross-site scripting
Developers at Australian government and large enterprises are not aware of the power of cross-site scripting, said Pure Hacking's Gatford.

"In the last year or so, [XSS vulnerabilities] have been used by attackers to grab cookie values and therefore gain access to normally password protected sites," he said.

"When you have organisations like Google spending countless man hours reducing security vulnerabilities ... you can imagine how bad the actual situation is for other organisations," said Gatford.

Gatford advised organisations to use resources such as OWASP, which offers free tools to help write secure code and allow testing for XSS vulnerabilities.

Google was unavailable to comment at the time of writing.

Topics: Google, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • This is Cross Site Request Forgery (CSRF) *not* XSS.
    cmlh