Add to del.icio.us     Digg this

September 28, 2007

In the past few weeks, there has been many reports of previously undisclosed security holes and new vulnerabilities in Gmail. These weaknesses can seriously jeopardize the privacy of Internet users who rely on Google's Gmail to send and receive email, organize photos or manage their data.

The Rios Security Blog recently wrote a post that demonstrates yet another way to siphon contacts. The Gmail code could be easily modified to misappropriate email and other data users may entrust to the Gmail portal.

Google has since repaired the security problem, but not before it was witnessed first hand... A "test" Google Gmail account was setup for purposes of validating the proof-of-concept code and within just 10 seconds it exposed our sole Gmail contact.

For the exploit to work, the user had to be logged in to Google.

According to the Rios Security Blog post, the proof-of-concept code draws on an important weakness in the way Google Docs handles cross-domain requests.

A potential attacker can create a standard Flash object on a malicious server that links to a Google Docs file titled Crossdomain.xml and gain full access to the victim's contents on his or her Gmail account.

The author wrote "the PoC just displays your contact list, but I have full access to the Google.com domain, so the sky is the limit (aka I can read all your emails too). It seems that Google has taken some measures to sanitize for XSS, but in my view, it still seems that their focus on XSS may have caused them to miss a different type of cross-domain exposure."

XSS is shorthand for cross site scripts, a means of injecting unauthorized code by making it appear as if it's hosted by a trusted website.

At least three of the four previous Google vulnerabilities were based on XSS weaknesses, but this one isn't... Instead it exploits a related but new method for making cross domain requests.

A Google spokeswoman said "Google takes the security of our users' information very seriously. We worked quickly to address the recently reported vulnerability, and we have rolled out a security patch."

The speed with which this security flaw was fixed is testament to the efficiency of Google's inspection team. It also speaks to one of the silver linings of Internet-based vulnerabilities, which frequently can be fixed by applying new code on a single server.

By comparison, software makers such as Microsoft and Apple must push out updates to millions of individual machines. This still tells me that SaaS (Software as a Service providers) does have strong selling points over conventional 'download and install' software.

Add to del.icio.us     Digg this

Source: Rios Security Blog

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.