blind_html Fwd: BAH Google Mail Accounts Hacked Via Unpatched Hole

  • From: Nimer Jaber <nimerjaber1@xxxxxxxxx>
  • To: blind_html@xxxxxxxxxxxxx
  • Date: Sun, 26 Apr 2009 21:19:56 -0600

-------- Original Message --------
Subject:        BAH Google Mail Accounts Hacked Via Unpatched Hole
Date:   Sun, 26 Apr 2009 14:42:23 -0400
From:   Lisa <whitedove621@xxxxxxxxxxxxx>
Reply-To:       blindAccessHelp@xxxxxxxxxxxxxxx
To:     <blindAccessHelp@xxxxxxxxxxxxxxx>

We believe this is something you should be aware of so that you may protect
yourself if necessary.
    Gmail accounts hacked via unpatched hole By Scott Spanbauer
Exploits allowing hackers to break into Gmail accounts are likely to occur,
if they're
not already circulating, after security researchers released details of a
hole that
Google has reportedly declined to patch.
There are steps you can take to reduce the risk of using a webmail account,
but it
appears that the usual tricks won't solve the Gmail problem until Google
fixes the
The weakness that researchers say afflicts Gmail, a free e-mail service
hosted by
Google, belongs to a class of attacks known as cross-site request forgery
pronounced "sea surf"). Besides Gmail, CSRF holes affecting YouTube,
Netflix, and have also been found and repaired in the past. CSRF attacks use
flaws in cookies, password requests, and other interactive Web components to
communications between your browser and a Web site's server.
The first report of the Gmail problem within security circles was written by
Aguilera Díaz of Internet Security Auditors (ISA) on July 30, 2007. The next
ISA issued an alert and included a proof of concept illustrating how the
could be used to change a Gmail account password.
After more than a year during which, according to ISA, Google was repeatedly
privately about the problem researchers publicly released a detailed
of the exploit on March 3, 2009, according to a Secure Computing article.
The magazine
quoted an unnamed Google spokesman as saying, "We've been aware of this
report for
some time, and we do not consider this case to be a significant
vulnerability, since
a successful exploit would require correctly guessing a user's password
within the
period that the user is visiting a potential attacker's site."
Considering that an automated attack can test thousands of passwords in a
of seconds, you might not be very reassured by Google's position. Many PC
users select
weak passwords that consist of common names or dictionary words, leaving
them susceptible
to brute-force discovery. And the general release of the CSRF technique
makes it
easy for hackers to write opportunistic code, if actual exploits aren't
already in
the wild.
The March 3 public disclosure should not be confused with an earlier Gmail
CSRF flaw
that was first reported on Jan. 1, 2007. Google repaired that problem by the
day, according to a blog post by software consultant Hari Gottipati.
CSRF attacks — which are also referred to as session-riding — are different
the more-widely known cross-site scripting (XSS) exploits. XSS holes allow a
Web site that's open in one browser window to inject JavaScript into another
page that's open in a separate window or tab. Once the unwanted script is
on a PC, the code can try to collect private data and passwords and transmit
back to the attacker's server.
XSS vulnerabilities have recently been discovered and patched in many
browsers and
on many sites, including Yahoo Mail and Hotmail as well as Gmail. Provide
some protection
for webmail with https Google, Yahoo, and other Internet services cover
by stating that you use the services at your own risk. A major threat of
using any
webmail service is that a hacker could swipe or guess your password and take
your account.
If your Google account includes such personal information as stored credit
card numbers
(for Google Shopping, for instance), a contact list, photos, and business or
documents, having your account hacked could be more than just an
One way for an attacker to steal passwords — especially given the ubiquity
of open,
unencrypted Wi-Fi networks — is to use software that "sniffs" Internet
traffic. If
you enter your username and password on a Web page without encryption, your
are transmitted as plain text, not just over a Wi-Fi connection but also
every router that happens to be located between you and the service's
Fortunately, the Big Three webmail services — Gmail, Yahoo Mail, and
Hotmail — and
many other Web sites provide protection for their sign-in sessions using
Secure Sockets
Layer (SSL) encryption. SSL enables a Web browser to scramble any sign-in
data before
pumping it out naked across the Internet's plumbing.
To determine whether a site encrypts its sign-in procedure, look in your
address bar. The page's URL should begins with https (Hypertext Transfer
over SSL), as shown in Figure 1. Unencrypted pages use the http protocol.
1. Look for the https protocol in a browser's address bar, which indicates
an encrypted
Seeing the https protocol or the well-known "lock" icon in a browser's
status bar
is no guarantee that a particular site is legitimate, of course. The
Working Group offers information on how these indicators can be spoofed by
as well as some tips to help you avoid scams.
If a sign-in page uses the https protocol, however, it's unlikely that your
will be sent as plain text across the Internet.
Gmail's sea-surf hole can't be closed by SSL
Some reports on the Web, such as an article at, say using
https during
your Gmail sessions blocks CSRF attacks on the service. Unfortunately,
that's not
the case for this Gmail hole, according to ISA's Aguilera. In an e-mail
conducted in Aguilera's native Spanish, he said the flaw allows a hacker to
advantage of an encrypted session (the following is my translation from the
language): "In this vulnerability, the attacker causes the victim to
generate, invisible
to the victim, a request to the server (in which request the victim's
session cookie is also transmitted). "When the server receives the request,
it sees
that it comes from an authenticated session (the victim's), and thus is
unable detect
that, in reality, the request was instigated by the attacker. "In other
words, it's
as if the victim/user actually created the request to the server, and the
fact that
the communication is encrypted is unrelated and doesn't prevent the attack."
Using https does prevent traffic sniffing and so-called man-in-the-middle
so you should enable it regardless of whether Gmail's CSRF hole is ever
To benefit from encryption when accessing Gmail, you should configure the
to use SSL by default. To do so, click Settings in the top-right corner of
the main
Gmail window, select Always use https in the "Browser connection" section at
bottom of the General tab, and click Save Changes. Using encryption will
slow Gmail's
performance slightly, but this small price is worth it. The https protocol
will encrypt
not just your sign-in sessions but also the contents of your e-mails when
sent between your browser and Google's servers.
POP3 and IMAP protect Gmail, Hotmail, Yahoo Mail Sadly, Yahoo Mail and
Hotmail don't
provide a similar Always use https setting. But you can protect these two
data, and also defeat Gmail's CSRF hole, by using a PC-based e-mail reader
and retrieving
your messages via the long-established POP3 or IMAP protocols.
When you use a PC-based client like Mozilla Thunderbird to read and send
SSL encryption can prevent eavesdropping. Using IMAP or POP3 also gives you
the option
to delete sensitive messages that would otherwise remain on the remote
server. (I
rated Thunderbird and other free e-mail clients in a July 31, 2008,
comparative review.)
IMAP and POP3 are supported by the free versions of both Gmail and Hotmail.
supports POP3, but only in the paid version of Yahoo Mail (U.S. $20 per
For instructions on using a PC-based client to retrieve messages from a
webmail service,
using Hotmail as an example, there's a step-by-step article on the subject
Using https when signing in — and encryption when processing your webmail —
it less likely your password or other personal information will be sniffed.
makes your webmail safer, no matter how long it may take before Google fixes
CSRF hole that has security researchers in a huff.


This list is owned by Jimmy Podsim.  Moderator Frank.  If you have any 
questions or complaints, please send them to
blindAccessHelp-owner@xxxxxxxxxxxxxxx .  I hope you find this list helpful.

Yahoo! Groups Links

<*>  To visit your group on the web, go to:

<*>  Your email settings:
    Individual Email | Traditional

<*>  To change settings online go to:
    (Yahoo! ID required)

<*>  To change settings via email:

<*>  To unsubscribe from this group, send an email to:

<*>  Your use of Yahoo! Groups is subject to:

To unsubscribe, please send a blank email to
with unsubscribe in the subject line.
To access the archives, please visit:


Other related posts:

  • » blind_html Fwd: BAH Google Mail Accounts Hacked Via Unpatched Hole - Nimer Jaber