Gmail flaw -- April 27, 2004
Results 1 to 4 of 4

Thread: Gmail flaw -- April 27, 2004

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324

    Gmail flaw -- April 27, 2004

    Geez... Didn't take long did it?!

    Source: Bradlands

    GMail security flaw: I just discovered a rather serious security flaw in Google's GMail service, currently in beta. If I wanted, right now, I could access the mailboxes of at least a dozen people, alter their user information, send e-mail using their address and otherwise generally f**k up their accounts.

    I won't, of course. But if someone as essentially tech-clueless as I can do it, I rather imagine more savvy and unscrupulous parties are ready and waiting to exploit this weakness.

    Further: It's not a technical flaw with the GMail system. It's a combination of poor user interaction design and a little social hacking that opens up the system to potential abuse.

    I was poking around the GMail site, just to see if by some miracle they'd opened sign-ups and not told anyone. (They haven't.) But I clicked on everything that I could, including the link under the login panel asking "Forgot your password?"

    That takes me to a page where I'm asked to "enter the email address you use to login." At random, I picked the address of a friend I knew had recently obtained a GMail test account and submitted it. I then had to pass one of those tests where a graphic of a word or nonsense phrase is displayed and you have to type it into a box to prove you're a human and not a computer.

    After doing that, I'm presented with a security question, presumably one chosen by the GMail user to further verify their identity and help them recover their password. This is where the system starts to break down. Several people have custom questions, unique to them and requiring somewhat intimate information about themselves. In the case of the random friend's account I'd plugged in earlier, it was something I knew about them off the top of my head. If I didn't, though, I'd easily be able to ascertain the answer by reading their website.

    I gather that "What is your Mother's maiden name?" is one of the default security questions. It's a bad one. In the case of at least three friends, I didn't know it but was able to easily obtain it by plugging their names into, yes, Google and having the information spit back to me from publicly accessible genealogy websites.

    Now having a security question isn't a bad thing, per se. It's just not very tight security, particularly when many of the people using the service are, themselves, web publishers and have chosen particularly poor questions with easily researched answers as the key to their account. But it still requires a little effort; it's not as though a simple computer program could batch through dozens of accounts and compromise them. It requires a thinking, Googling human to get past the security question.

    Ah, but when you do! In other systems, passing this hurdle would generate an e-mail to a second account, either revealing the password or containing instructions for resetting it. With GMail, though, I'm immediately presented with the option of resetting the password. Input a new password twice, click submit and voila: I'm in charge of another person's account.

    This makes GMail extremely insecure.

    There are two ways to address this. First, if you're using GMail right now, I'd suggest choosing a security question to which only you know the answer and which is not answerable by Googling for information about you. (Good advice always, but particularly in this case.) Mothers' maiden names are right out. Names of first pets? Suspect, when a lot of us have taken and published the results of "What is your drag queen name?" quizzes on our websites. Old phone number? Probably tucked away in a long-forgotten, never-updated online database.

    The second is for Google to tighten up the process by requiring password changes to involve an e-mail challenge or some other means of resetting an account password. Knowing a person's GMail address and a little personal info about them is too low a hurdle to put the reset mechanism front-and-center where it is now.

    At last count, I could easily compromise the accounts of six friends, six prominent webloggers, a Google employee and one random fellow I've never met or heard of.

    I haven't and I won't. And another Google employee has graciously invited me to take a test account, which offer I'll accept, even though I wish the service worked with Safari so I could really get under the hood.

    In the meantime, I won't be trusting GMail for anything critical and I'll be picking a completely unanswerable (except by me) password security question. I'd advise you to do the same.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Ah, but when you do! In other systems, passing this hurdle would generate an e-mail to a second account, either revealing the password or containing instructions for resetting it. With GMail, though, I'm immediately presented with the option of resetting the password. Input a new password twice, click submit and voila: I'm in charge of another person's account.

    This makes GMail extremely insecure.
    Well noted, but more important it makes you much more anonymous if one desire, assuming you don't know the people with an account personally. I would welcome the feature of not forcing someone to have a valid email address in order to sign up. Very few web based services do that anymore. I agree though, if you want the option you should be able to have it if the designers want to take an extra step. It wouldn't preclude me from opening an acount though, especially since google is my cyber home anyway.

    Very good analysis of the system by the author.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  3. #3
    BS, EnCE, ACE, Cellebrite 11001001's Avatar
    Join Date
    Mar 2002
    Location
    Just West of Beantown, though nobody from Beantown actually calls it "Beantown."
    Posts
    1,228
    But when you think about it, how many free email providers have a similar system in place? You supply an answer to an assigned or chosen "security question" that is supposed to have an answer that nobody else knows. I'm sure this feat would be easily replicated on other free email providers' websites by doing the exact same thing.

    It seems like everyone is out to get GMail and looking for every excuse to do it just because of the body scanning algorithm.
    That's Officer 11001001 to you...
    Now you see me | Now you don't
    "Relax, Bender; It was just a dream. There's no such thing as two." ~ Fry
    sometimes my computer goes down on me

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    I just tried it with some random common user names. I would have to say if you use something like BillSmith@google.com or CaliforniaGirl@google.com and have some easy phrase like City where you were born, it would be easy to try Oakland etc or google Bill Smith, but you can do that already. Heck, Yahoo gives you a complete profile of the person. lol. I see the concern.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides