Saturday, October 30, 2004
Gmail Security Breach Discovered
A major security hole in Gmail has been found, reports the Israeli site Nana. A hacker, Nir Goldshlagger, told Nana NetLife Magazine that, "Everything could get publicly exposed – your received mails might be readable, as well as all of your sent mail, and furthermore – anyone could send and receive mail under your name". He also warned that even a novice hacker could exploit the hole. Google has admitted to the existence of the breach, which involves allowing a hacker to steal your Gmail cookie and use it to log in to your account. Gmail is noted to be more of a security threat than most email inboxes, since users tend to store more mail than on most services, thus increasing the likelihood hackers will find sensitive information, like credit card numbers. Aimless Words suggests not clicking on the "Don't ask for my password for 2 weeks" option, and notes that it is an XSS exploit. Slashdot talks about it here, as does the Register. Google Blogoscoped notes that all Gmail users who did click the auto-login button were forced to re-login this morning, so Google may have already dealt with it.