Google, WTF?
December 23, 2007 10:30 pm GeneralAfter some investigation I found the most probable reason of the break-in into my gmail account, which caused the spam message to be broadcasted to my entire gmail address book.
GMail performs login using https. Then (bah!) it redirects to http! All further interactions are done in insecure mode – unless the original address you typed in your browser started with https (or you change it manually and explicitly in the address line). Awesome, isn’t it? For details, see for example here.
So, I guess when I read my gmail using some occational free hotspot in the city (thanks to my n800), there was some “man in the middle” attack. It is not a big deal for minimally educated script kiddie – once http stream is not encoded and all cookies are there…
I definitely blame myself for being so lame and not knowing that bad fact about GMail (and not being paranoid enough to check the security of the connection when I have to). But I am deeply disappointed that GMail is so unsecure by default – and that information is not printed with big red letters on top of the page.
I guess there might be some people around who are still not aware of that shameful detail about GMail – so I am warning them.
December 23rd, 2007 at 11:37 pm
If you use correct url when connecting then it stays as https. Ask Google for more details 🙂
December 24th, 2007 at 12:06 am
troll: Thanks I know. NOW I know:) But usually I just did “gmail.com” – and that was it. Since n800 does not have real keyboard – every character is expensive:)
December 24th, 2007 at 12:07 am
… and yes it was http:// in the bookmark. Because I did not know and Google did not warn me.
December 24th, 2007 at 12:35 am
I’m not sure that’s a fair complaint. It makes more sense to use http:// by default, since it’s faster, and most of the time you trust your internet connection.
Note that yahoo also handles this the exact same way.
Still, it stinks that you were taken advantage of..
regards,
Nick
December 24th, 2007 at 1:38 am
…but your browser should usually warn you in such a case. At least if you had https first.
December 24th, 2007 at 2:49 am
Gmail + IMAP(TLS/SSL) is your friend.
December 24th, 2007 at 5:34 am
You should look at using a real email client with IMAP. Its completely encrypted and being IMAP it remembers things like what folders you put messages in, so you can setup a filter in gmail to dump things in their respective folders and then see that from any email client.
You can even make sure drafts are stored in the gmail drafts folder rather than locally and trash archives things instead of permanently deleting it. Although it does take a few tweaks under Thunderbird.
December 24th, 2007 at 8:15 am
If you use https://mail.google.com/ to visit Gmail initially, it stays in HTTPS mode after the authentication is complete.
December 24th, 2007 at 9:29 am
nick: the “man in the middle” attack can be performed on any host used for routing between me and google. It does not make sense to trust your connection wholeheartedly even in wired case (unless your route to google has length 1). I realize that google and yahoo are saving their resources – but they do it at my expense.
Steffl: Usually people disable these warnings immediately. They are too annoying. So did I 🙂
Matthew, EbilPhish: Yes but many IMAP clients have issues with huge “All Mail” folder. And BTW Google added IMAP just quite recently – while the issue I am talking about is ages old.
Mukund: Yes I know it. NOW:)
December 24th, 2007 at 10:15 am
I suspect that gmail isn’t the only Google service which suffers from this problem.
If you login into another Google service (or else open the service into another tab while being already loged in) the cookie will be exposed in clear and can be used to access other Google services (including Gmail). Remember that some Google services such as Google search cannot be acessed with https.
The cookie also seems to never expire unless you logout. This effictively means that a stolen cookie can be used perpetually :S
December 24th, 2007 at 11:26 am
The Firefox ‘Better Gmail’ extension has an option to always use ‘https’, which is useful 🙂
December 24th, 2007 at 2:38 pm
Daniel: most probably you’re right. And it does not make Google a nice guy. I wonder if the guys who stolen my cookie are going to use it again 🙁
Dave: unfortunately that extension is not available for n800’s browser yet.
December 24th, 2007 at 3:13 pm
1) Get http://www.customizegoogle.com/, put all google stuff to https. 2) Use the secure IMAP stuff with SMTP/TLS with a good tool and do not use a web browser – they are not secure. 3) Try to get rid of gmail 🙂 It’s not good.
December 24th, 2007 at 11:26 pm
Dan: 1. Unfortunately that extension is not available @ Nokia N800 2. Yes I will probably 3. Except for security reasons – why not? The usability is very high IMHO
December 25th, 2007 at 6:55 pm
Hi Sergey,
I thought there is a mini version FF out there for the N800. But some JS-Version of s/http/https should work on opera, too. Already checked: http://smir.de/cg/? Which browser do you use?
2. Checked mutt?
3. http://en.wikipedia.org/wiki/Privacy
🙂
Good luck, Dan
December 25th, 2007 at 8:20 pm
Tried:
http://smir.de/cg/
? – Dan
December 26th, 2007 at 9:37 am
Hi,
Boards.ie users have seen the exact same email sent from Yahoo as Gmail, again using the users’ credentials: passwords are certainly being stolen, but may not be a hot spot – as it’s unlikely both they and you have visited the same sites.
Yahoo gives the originating IP, and it’s China, so the spammer is logging in remotely to send the mail and it’s not a virus.
Is there any chance it’s XSS, or a problem with Flash?
December 26th, 2007 at 4:34 pm
Dan: the browser is mozilla-based. But extensions require special packaging.
December 26th, 2007 at 10:01 pm
If I remember correctly, after looking at the source, they have their own encryption implementation in Javascript. Therefore they are not using HTTPS.
December 28th, 2007 at 4:16 pm
Google had a cross-site referrer hole which was actively exploited in at least 1 case last month: http://davidairey.co.uk/google-gmail-security-hijack/
there seems to be a mini-epidemic of webmail account theft going on at the moment. I’m writing about another one at: http://taint.org/2007/12/21/171309a.html , and several people have pointed to other cases in the comments (yours being one).
As a matter of interest, what was the spam sent from your account?
December 29th, 2007 at 6:57 pm
Justin: shame on Google indeed. My spam had first lines:
We are a wholesaler which deal with electronic products, such as: Mobile,TV,PC,DV,DC,games,MP3 Even motorcycles and musical instruments. Delivering our items by EMS to our customers around the world, The link pointed to the site www dot ems dot com dot cn
January 10th, 2008 at 11:36 am
Bytheway, yahoo doesn’t support secure connection as easy an free as google do.