Comments on: Google, WTF?

By: adrin

adrin — Thu, 10 Jan 2008 11:36:55 +0000

Bytheway, yahoo doesn’t support secure connection as easy an free as google do.

By: Sergey Udaltsov

Sergey Udaltsov — Sat, 29 Dec 2007 18:57:11 +0000

Justin: shame on Google indeed. My spam had first lines:

We are a wholesaler which deal with electronic products, such as: Mobile,TV,PC,DV,DC,games,MP3 Even motorcycles and musical instruments. Delivering our items by EMS to our customers around the world, The link pointed to the site www dot ems dot com dot cn

By: Justin Mason

Justin Mason — Fri, 28 Dec 2007 16:16:35 +0000

Google had a cross-site referrer hole which was actively exploited in at least 1 case last month: http://davidairey.co.uk/google-gmail-security-hijack/

there seems to be a mini-epidemic of webmail account theft going on at the moment. I’m writing about another one at: http://taint.org/2007/12/21/171309a.html , and several people have pointed to other cases in the comments (yours being one).

As a matter of interest, what was the spam sent from your account?

By: Martin Hjort Eriksen

Martin Hjort Eriksen — Wed, 26 Dec 2007 22:01:20 +0000

If I remember correctly, after looking at the source, they have their own encryption implementation in Javascript. Therefore they are not using HTTPS.

By: Sergey Udaltsov

Sergey Udaltsov — Wed, 26 Dec 2007 16:34:17 +0000

Dan: the browser is mozilla-based. But extensions require special packaging.

By: Ruairi

Ruairi — Wed, 26 Dec 2007 09:37:14 +0000

Hi,

Boards.ie users have seen the exact same email sent from Yahoo as Gmail, again using the users’ credentials: passwords are certainly being stolen, but may not be a hot spot – as it’s unlikely both they and you have visited the same sites.

Yahoo gives the originating IP, and it’s China, so the spammer is logging in remotely to send the mail and it’s not a virus.

Is there any chance it’s XSS, or a problem with Flash?

By: Dan Arkway

Dan Arkway — Tue, 25 Dec 2007 20:20:56 +0000

Tried:
http://smir.de/cg/
? – Dan

By: Dan Arkway

Dan Arkway — Tue, 25 Dec 2007 18:55:25 +0000

Hi Sergey,
I thought there is a mini version FF out there for the N800. But some JS-Version of s/http/https should work on opera, too. Already checked: http://smir.de/cg/? Which browser do you use?
2. Checked mutt?
3. http://en.wikipedia.org/wiki/Privacy

Good luck, Dan

By: Sergey Udaltsov

Sergey Udaltsov — Mon, 24 Dec 2007 23:26:15 +0000

Dan: 1. Unfortunately that extension is not available @ Nokia N800 2. Yes I will probably 3. Except for security reasons – why not? The usability is very high IMHO

By: Dan Arkway

Dan Arkway — Mon, 24 Dec 2007 15:13:04 +0000

1) Get http://www.customizegoogle.com/, put all google stuff to https. 2) Use the secure IMAP stuff with SMTP/TLS with a good tool and do not use a web browser – they are not secure. 3) Try to get rid of gmail It’s not good.