The mis-reporting of this story is killing my brain cells right now. So a couple people got their domain name stolen, and held for ransom (that seems to be a popular sport, I probably shouldn’t tempt fate), because the thief had somehow installed a filter on their Gmail accounts that forwarded and deleted emails from their registrars — stealing a domain name is easy that way, you just need to intercept password reminders and confirmation requests and you’re done (that may depend on how thorough your registrar is, but there isn’t all that much they can do… it’s just that password reminders are evil, but users expect them).
The article most linked is a guy imagining how it might have happened, and I can’t get over the fact that so many reporters link it without thinking. Nevermind that the proposed “proof of concept” requiring knowing the target’s numerical Google account identifier (I’m willing to believe there is a way to find that out, but it definitely involves targeting a specific person, which is anything but efficient); the author also needs your session key to form a complete URL:
Obtaining the at variable on the other hand can be done by tricking a user into visiting a page that contains malicious code that subsequently steals a cookie from the user called GMAIL AT which is the same as the at variable, just named differently. Once the cookie is stolen the malicious code creates a hidden iframe with a url containing the variables that authorize Gmail to create a filter for your account.
As simple as that. Only it’s not. There’s just a tiny, silly bit of security in modern browsers that prevents web pages to access an external site’s cookies. I’m sure there are still a few Explorer 6 installs around the web that are vulnerable to some kind of cookie-stealing exploits, but they ought to be fairly rare — and those users deserve to have their domain names stolen anyway. (Plus, they’re using Hotmail, not Gmail.)
But you don’t just create “a page that steals a cookie from the user”; when that kind of thing happens, it’s called a brower vulnerability, not a bug in Gmail. If you want to steal someone’s cookies, what you do is intercept their wi-fi connection. (Which isn’t what the attackers did in that case, either; more about that in the rest of this article.)
For the record: I don’t care that an invididual blogger doesn’t understand cross-site scripting and writes like he’s an authority on browser security; I mind that all technology blogs and news sites link to his post indiscriminately.
That leaves us with the original post, from the guy who did get his domain name stolen. I’m willing to accept that the attacker didn’t just have his password, even though the most successful hacks often involve social engineering, but I’m interested in this part of his post, where he quotes an article about a 2007 Gmail vulnerability involving filters:
This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.
Now, the interesting part is that update on the above GNU Citizen link states that vulnerability was fixed before 28 September 2007. But in David’s case, the incident took place in December, 2-3 months later. So, was the exploit really fixed back then? Or was it a new exploit in David’s case? And most importantly is there a similar security flaw in Gmail NOW?
You know what? I don’t want to insult your intelligence, and this story is already bugging me enough as it is, so I’m just going to let you find out how the logical flaw that resides between those two paragraphs, without adding my own emphasis.
And I’m not saying here that it’s impossible that a cross-site scripting vulnerability might be back on Gmail; it’s just that I haven’t seen much reason to think that there is, and I’d be willing to assume that whatever anti-XSS measure Google implemented shouldn’t have suddenly disappeared from the site — even though regression can happen to anyone. What I’m reacting to is not the accusation against Google, but the way it’s quoted verbatim all around the board. Not that I should be surprised, by now, but I can’t help myself.
The moral to this story, though, besides “those damn technology reporters could fact-check if their life depended on it,” is that you shouldn’t use web-accessible mail accounts for anything remotely important (domain names, PayPal or bank accounts, etc.) — well, you shouldn’t use clear-text email at all, but you can’t really avoid it. There will always be security flaws everywhere, and having a web interface is only making yourself more insecure.
And you should totally log out of Gmail when you’re done reading your mail. Like, do as I say, don’t do as I do.