GMail security flaw: I just discovered a rather serious security flaw in Google's GMail service, currently in beta. If I wanted, right now, I could access the mailboxes of at least a dozen people, alter their user information, send e-mail using their address and otherwise generally f**k up their accounts.
I won't, of course. But if someone as essentially tech-clueless as I can do it, I rather imagine more savvy and unscrupulous parties are ready and waiting to exploit this weakness.
Further: It's not a technical flaw with the GMail system. It's a combination of poor user interaction design and a little social hacking that opens up the system to potential abuse.
I was poking around the GMail site, just to see if by some miracle they'd opened sign-ups and not told anyone. (They haven't.) But I clicked on everything that I could, including the link under the login panel asking "Forgot your password?"
That takes me to a page where I'm asked to "enter the email address you use to login." At random, I picked the address of a friend I knew had recently obtained a GMail test account and submitted it. I then had to pass one of those tests where a graphic of a word or nonsense phrase is displayed and you have to type it into a box to prove you're a human and not a computer.
After doing that, I'm presented with a security question, presumably one chosen by the GMail user to further verify their identity and help them recover their password. This is where the system starts to break down. Several people have custom questions, unique to them and requiring somewhat intimate information about themselves. In the case of the random friend's account I'd plugged in earlier, it was something I knew about them off the top of my head. If I didn't, though, I'd easily be able to ascertain the answer by reading their website.
I gather that "What is your Mother's maiden name?" is one of the default security questions. It's a bad one. In the case of at least three friends, I didn't know it but was able to easily obtain it by plugging their names into, yes, Google and having the information spit back to me from publicly accessible genealogy websites.
Now having a security question isn't a bad thing, per se. It's just not very tight security, particularly when many of the people using the service are, themselves, web publishers and have chosen particularly poor questions with easily researched answers as the key to their account. But it still requires a little effort; it's not as though a simple computer program could batch through dozens of accounts and compromise them. It requires a thinking, Googling human to get past the security question.
Ah, but when you do! In other systems, passing this hurdle would generate an e-mail to a second account, either revealing the password or containing instructions for resetting it. With GMail, though, I'm immediately presented with the option of resetting the password. Input a new password twice, click submit and voila: I'm in charge of another person's account.
This makes GMail extremely insecure.
There are two ways to address this. First, if you're using GMail right now, I'd suggest choosing a security question to which only you know the answer and which is not answerable by Googling for information about you. (Good advice always, but particularly in this case.) Mothers' maiden names are right out. Names of first pets? Suspect, when a lot of us have taken and published the results of "What is your drag queen name?" quizzes on our websites. Old phone number? Probably tucked away in a long-forgotten, never-updated online database.
The second is for Google to tighten up the process by requiring password changes to involve an e-mail challenge or some other means of resetting an account password. Knowing a person's GMail address and a little personal info about them is too low a hurdle to put the reset mechanism front-and-center where it is now.
At last count, I could easily compromise the accounts of six friends, six prominent webloggers, a Google employee and one random fellow I've never met or heard of.
I haven't and I won't. And another Google employee has graciously invited me to take a test account, which offer I'll accept, even though I wish the service worked with Safari so I could really get under the hood.
In the meantime, I won't be trusting GMail for anything critical and I'll be picking a completely unanswerable (except by me) password security question. I'd advise you to do the same.