GMail Flaw Lets Anyone Read Your E-Mail,(and patch update)
For all Gmailers!
September 26, 2007 | 8:06:07 AM
Hackers have revealed that your GMail account is vulnerable to an attack that allows malicious folks to keep tabs on your e-mail traffic. The attack uses a clever (and particularly nasty) cross-site request forgery (CSRF) to create a persistent backdoor that can be used to read your e-mail. The exploit works by creating a new filter in your GMail account, which means it can do pretty much anything GMail filters are capable of — including forward your e-mail to another account. [Update: Google has reportedly fixed the issue. See this post for more details.]
GNUCitizen hacker Petko Petkov is a busy man, we told you about his PDF exploit last week and before that there was the Quicktime exploit. Petkov is also responsible for today’s GMail disclosure and while he hasn’t released many details on the hack, he did demonstrate it for ZDNet, who confirmed that it works.
Google says it is looking into the exploit, but even if it’s patched, anyone affected before the patch will continue to be exploited since the filter must be removed by hand.
So far there don’t seem to be any examples of this exploit in the wild and Petkov is withholding details to give Google time to patch it, but it’s worth giving your filter list a quick glance to make sure they are all in fact your filters.
Here’s what Petkov has to say about the exploit:
The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
The comments on the GNUCitizen post suggest that the Firefox extension NoScript probably prevents this sort of attack, but you’ll need to keep NoScript on its most stringent settings.
UPDATE: Google Patches Serious GMail Vulnerability
September 28, 2007 | 1:45:30 PMEarly this week we told you about a cross-site request forgery (CSRF) flaw in GMail that would allow attackers to create a filter in your account — possibly forwarding copies of your mail to themselves.
This morning I received an e-mail from a spokesperson at Google who said that the GMail team rolled out a patch last night which fixes the problem.
“Google takes the security of our users’ information very seriously,” the e-mail says, “We worked quickly to address the recently reported vulnerability, and we rolled out a fix. We have not received any reports of this vulnerability being exploited.”
Google says they haven’t heard of anyone being victimized, but it wouldn’t hurt to login and take a quick look at your filter just to be on the safe side.