Gmail Accounts 'Wide Open To Exploit'

KingFishKingFish
edited November 2004 in Science & Tech
Google's high profile webmail service, Gmail, is vulnerable to a security exploit that might allow hackers full access to a user's email account simply by knowing the user name, according to reports.
The security flaw allows full access to users' accounts, with no need of a password, Israeli news site Nana says . Using a hex-encoded XSS link, the victim's cookie file can be stolen by a hacker, who can later use it to identify himself to Gmail as the original owner of an email account, regardless of whether or not the password is subsequently changed. Following up a tip from an Israeli hacker, journos from the site confirmed the attack and verified the exploit with local security firm Aladdin Knowledge Systems. It's unclear whether the hole has been maliciously exploited. Google has been notified of the issue and is reportedly working on a fix. No-one from the company was available to update The Register on the issue at time of going to press.
Source: The Register

Comments

  • TBonZTBonZ Ottawa, ON Icrontian
    edited October 2004
    I have been getting mail from all sorts of people in the last 2 weeks notifying me that the attachment I had sent to them was blocked by their antivirus. I never sent anything to these people and the addresses look legit and not from some kind of fishing expedition by a spammer/hacker.

    If my acct hasn't been hijacked, can people send mail masked to look like it came from me? :scratch::mad:
  • LincLinc Owner Detroit Icrontian
    edited October 2004
    Yes, you can do that to any account by simply using e-mail header spoofers (PHP does it quite effortlessly). Happens all the time, unfortunately. :-/
  • PressXPressX Working! New
    edited October 2004
    I have given three people my gmail account. I have spam already.
  • DanGDanG I AM CANADIAN Icrontian
    edited November 2004
    http://www.theregister.co.uk/2004/11/01/gmail_bug_fixed/

    Fixed.
Sign In or Register to comment.