Home
Latest images
Search
Register
Log inPossible Severe Gmail Security Vulnerability
Page 1 of 1
Possible Severe Gmail Security Vulnerability
andry Wed Sep 15, 2010 12:39 am
Gmail may have a serious security vulnerability that can result in the leaking of sensitive private information randomly to people you don’t know, haven’t contacted, and have nothing to do with.
It would seem that between the way Gmail saves and retrieves sessions, existing sessions are authenticated, and views are cached there are one or more loopholes that allow data from a different account (that has nothing to do with yours) to be served instead of the correct data.
I don’t know why, but here’s the how:
Firefox 3 opened to Gmail on Ubuntu.
Session accidentally reset with ctrl+alt+bkspc
Upon reboot & restarting of Firefox, Firefox requested the URIs that were previously open before the crash, partially loading data from local cache and the rest dynamically from the web (because of the AJAX portions of the Gmail interface).
The result:
Gmail loaded up the email account of a user I’d never contacted before, never heard of, and never knew existed.
I could see the front page of this user’s inbox, including the people he’d recently contacted, the brief summary of all messages, the total number of messages in the inbox, the number of unread messages in other folders, the dates of all correspondences, and a number of contacts (again, none that I have had contact with) in the sidebar.
The number of remaining Gmail invites, the amount of space used, and other status values also reflected this mysterious individual’s account.
I couldn’t browse deeper than the main page of the inbox. Emails couldn’t be opened, nothing past the first 50 correspondences could be seen, and I couldn’t switch to another folder.
Attempts to do any of the above resulted in Gmail’s “Oops… the system encountered a problem (#102) – Retrying in XXs… <Retry Now>”
Parts of the Gmail interface contained values pertaining to my own account (for instance, the online status indicator) while others referred to this other individual’s account instead.
It’s very bizarre. I don’t know if it can be readily reproduced, but I'd imagine if you forced an exit of Firefox 3 and kept on firing it back up at some point or another you'd see similar behavior. Of course, a deeper analysis of what data Firefox 3 requests from Gmail's servers verses what's served from the local session cache may yield further information that could possibly be used to actively take advantage of this data leak.
It seems that Firefox requests a cached session complete with cookies and all from the Gmail URI, which in turn loads the Gmail javascript files that are responsible for retrieving the data associated with a particular email account via AJAX. At this point, either the session key is associated with another account and so Gmail retrieves the information assuming the session to be properly authenticated or else the expired session somehow causes Gmail to get data from elsewhere...
It would seem that between the way Gmail saves and retrieves sessions, existing sessions are authenticated, and views are cached there are one or more loopholes that allow data from a different account (that has nothing to do with yours) to be served instead of the correct data.
I don’t know why, but here’s the how:
Firefox 3 opened to Gmail on Ubuntu.
Session accidentally reset with ctrl+alt+bkspc
Upon reboot & restarting of Firefox, Firefox requested the URIs that were previously open before the crash, partially loading data from local cache and the rest dynamically from the web (because of the AJAX portions of the Gmail interface).
The result:
Gmail loaded up the email account of a user I’d never contacted before, never heard of, and never knew existed.
I could see the front page of this user’s inbox, including the people he’d recently contacted, the brief summary of all messages, the total number of messages in the inbox, the number of unread messages in other folders, the dates of all correspondences, and a number of contacts (again, none that I have had contact with) in the sidebar.
The number of remaining Gmail invites, the amount of space used, and other status values also reflected this mysterious individual’s account.
I couldn’t browse deeper than the main page of the inbox. Emails couldn’t be opened, nothing past the first 50 correspondences could be seen, and I couldn’t switch to another folder.
Attempts to do any of the above resulted in Gmail’s “Oops… the system encountered a problem (#102) – Retrying in XXs… <Retry Now>”
Parts of the Gmail interface contained values pertaining to my own account (for instance, the online status indicator) while others referred to this other individual’s account instead.
It’s very bizarre. I don’t know if it can be readily reproduced, but I'd imagine if you forced an exit of Firefox 3 and kept on firing it back up at some point or another you'd see similar behavior. Of course, a deeper analysis of what data Firefox 3 requests from Gmail's servers verses what's served from the local session cache may yield further information that could possibly be used to actively take advantage of this data leak.
It seems that Firefox requests a cached session complete with cookies and all from the Gmail URI, which in turn loads the Gmail javascript files that are responsible for retrieving the data associated with a particular email account via AJAX. At this point, either the session key is associated with another account and so Gmail retrieves the information assuming the session to be properly authenticated or else the expired session somehow causes Gmail to get data from elsewhere...
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics» Get Any Body gmail password
» Can I delete My Gmail Account?
» Google Gmail, Other Apps, Vulnerable To Attack
» Gmail Checker plus Chrome extension XSS/CSRF II
» Browser Security
» Can I delete My Gmail Account?
» Google Gmail, Other Apps, Vulnerable To Attack
» Gmail Checker plus Chrome extension XSS/CSRF II
» Browser Security
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum