Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Teenage Blogger Finds Gmail Hole 268

Posted by Zonk
from the not-what-i-was-doing-at-14 dept.
cpm80 wrote to mention the news that a 14 year old blogger has identified a security hole in the Gmail webmail service. From the Network World article: "He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane, he wrote. But if the code is mailed from one Gmail account to another, it is filtered out, he said. Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed."
This discussion has been archived. No new comments can be posted.

Teenage Blogger Finds Gmail Hole

Comments Filter:
  • by Osrin (599427) * on Thursday March 02, 2006 @02:54PM (#14836659) Homepage
    Something happened, he is not sure what, and now nobody can replicate it.

    Stuff that matters huh?
  • Fixed (Score:5, Informative)

    by hetairoi (63927) on Thursday March 02, 2006 @02:56PM (#14836680) Homepage
    SANS Internet Storm Center [sans.org] says it's fixed. Seems pretty silly.

  • This error should have been reported to Google and the appropriate mailing lists, not posted on a blog. Fortunately, Google responded quickly to resolve the issue before it caused damage.
    • by TCQuad (537187)
      This error should have been reported to Google and the appropriate mailing lists, not posted on a blog. Fortunately, Google responded quickly to resolve the issue before it caused damage.

      If this was a security expert or professional programmer or the like, I'd agree. But he's 14! Teenagers nowadays can barely open a door without first blogging about the experience. He saw something, he said he saw something. Now he gets a little recognition, Google fixes it and everyone goes home happy.
    • Publicly ex[posed errors get fixed faster.

      Once you tell a company of the issue, it then becomes possible for that company to take actions to shut you up.

  • Not surprising (Score:4, Interesting)

    by Bogtha (906264) on Thursday March 02, 2006 @03:06PM (#14836771)

    Google have shown repeatedly that they don't understand how to deal with Javascript securely. Example [jibbering.com].

    • None of the stuff on that page works anymore.
    • There's undoubtably numerous experts at Google that know about XSS mitigation techniques. However, there's a big difference between knowing how to do something and having enough time in your schedule to properly design code that's not vulnerable to cross-site scripting attacks and having enough resources to test the design. I think the responsibility for this problem lies in the QE and scheduling rather than in Google's supposed incompetence.
  • by frovingslosh (582462) on Thursday March 02, 2006 @03:09PM (#14836796)
    Unfortunately, I find I have problems with Gmail security the other way. Gmail blocks outbound attachments with exe files, even when those files are included inside zip files. I write programs and occasionally have to e-mail a client a change. Yet, unless I want to try to get my low-tech users to use more tools to help me sneak something past the Gmail filtering, I have to use a second e-mail account when I want to send out EXE files.

    I'm all for Google not doing stupid things on their web interface, but I don't think they should be encouraged to be even more agressive and invasive as to what we send and receive in our e-mail. Claiming you are doing this for the users' protection just assumes that all of your users are idiots, and if you build a system that repeatedly makes that assumption then eventually all of your users will be idiots, as you will drive the others away.

    • Just change the extension. I routinely change the extension of zip files to 7z and tell my friends to use either rename the extension or use 7zip.
    • by WebCowboy (196209) on Thursday March 02, 2006 @03:57PM (#14837216)
      Gmail blocks outbound attachments with exe files, even when those files are included inside zip files.

      Google is RIGHT in doing such filtering, although perhaps they should make it clear to users up front on its filtering policies rather than waiting for them to discover it for themselves. Besides, even if outbound executable attachments are blocked how many corporate systems permit them inbound? My employer blocks inbound executables unless you're in certain departments, and the majority of our clients do as well. These systems are getting very smart too--they analyse the actual content of the file rather than the extension and even if you rename your .exe to .abc, ZIP it and rename the .zip extension .xyz our system will check the header content of the files' data and determine it is a ZIP, then extract the files inside to examine THEM if that is how you configure it.

      The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such files (that is what I do anyways).

      There are some cases where email is the most convenient, such as for non-executable documents (I avoid sending .docs since I consider then "executable"--I send PDFs instead), smaller files and so on. For dealing with more novice users I send an email with the link to the file to click, and for getting files from them I set up a simple HTTPS "gateway" with a file submission form. Just as simple as attachments (for the client anyways) and more secure.

      I don't think GMail and other mail systems need to be "fixed"...I think that people have to get out of the mindset of using email to exchange files. Use secure FTP or even HTTPS...or even better for big files use Bittorrent. It annoys me when people complain about limits on email attachments just like it annoys me when people use Excel to create "databases". At least learn to use MS Access dammit...it isn't THAT hard!
      • > email was not designed for file transfer and probably will never be the best tool for that purpose.

        But it's a pretty good tool for transfering small files. If you are worried about who he message comes from then only take attachments from cryptographically signed emails from senders you trust.
      • The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such file

        • Wait, did I miss something?? When did email not require the use of at least one server somewhere?
        • What do you think the point of attachments is?

          I mentioned what the point is in my original post--for small, non-executable files mostly of a documentation-use nature. If it is a spreadsheet (WITHOUT garbage like VBS macros) or an elecronic copy of a user manual, or an image or other "rich media" that is not alphanumeric in nature (within reason--I'd dislike flash games being sent as an attachment for example).

          But sending me .exe files, or 50 megabytes of database snapshot or archived logs? Please don't tr
          • sending me .exe files, or 50 megabytes of database snapshot or archived logs? Please don't try to send these things via email then b*tch at me when they bounce or get filtered out...that is abuse of email and there are better ways of doing things.

            It doesn't make it "abuse of email" just because you don't want large attachments. It might be abuse of you, and yes, I would expect people who care about your opinion to avoid mailing you large attachments, but it doesn't say anything about the world at larg

            • It doesn't make it "abuse of email" just because you don't want large attachments.

              Except that is IS an abuse because it clogs email servers as large attachments sit in inboxes waiting to be opened. This means the resources of the email server are strained for every user...it isn't simply a matter of what *I* want

              An email is a file. It's got a standard format and it gets sent from host to host.

              No, an email is NOT a file--it wasn't originally anyways. Perhaps it is common today for email systems to treat a
    • Rename the extension of the ZIP file to .Z instead of .ZIP. GMail passes it right through, and WinZip (as well as many other Windows-based tools) will still see it as a ZIP file and give it the correct icon, minimizing confusion on the part of users.
    • Rename it. I get around Outlook all the time by sending myfile.exe.delete_this_extension
    • I have to use a second e-mail account when I want to send out EXE files.

      Aww. How horrible.

      Email attachments are perhaps the worst imaginable way of distributing executables. It's too bad that your clients don't know of or care about alternative delivery systems, but that's not enough for me to conclude that Gmail was overbearing or foolish in forbidding EXE attachments.
      • Email attachments are perhaps the worst imaginable way of distributing executables. It's too bad that your clients don't know of or care about alternative delivery systems, but that's not enough for me to conclude that Gmail was overbearing or foolish in forbidding EXE attachments.

        Aside from using myspace or something, how do you propose that people send files to people so that they can download them when the sender is no longer connected? And when neither one has a 24x7 internet connection?

    • This is like saying that patching ActiveX is silly, anti-spyware is unneeded, and anti-virus software unnecessary, just assume your users will know better.

      Wrong.

      Gmail's is the intended behavior. Use FTP for EXEs, or even CDs.
      • Gmail's is the intended behavior. Use FTP for EXEs, or even CDs.

        No.

        Why don't you stop telling people how to use their computers. I want to email executables to people on occasion. It's easy. It works. Well, normally it works, unless you're using gmail.

        • I want to email executables to people on occasion. It's easy. It works. Well, normally it works, unless you're using gmail.

          Or Outlook. Or several other capable email programs. Essentially, your suggestion is that general security should be sacrificed because lazy people sometimes want to send executable files? That's weak, friend.

          Since most people run Windows, and most people have file extensions hidden (a STUPID default), most people will think anna_kournikova.jpg.exe is an image, and open it.

          Email prog
          • Email programs SHOULD block exe files.

            Absolutely agreed.

            If you are smart enough to send an exe that makes sense, you're smart enough to rename it.

            But here is where you missed the point of this discussion. This is a smart user who has already tried to renaming and zipping a legit .exe file and gmail is STILL blocking it. That's NOT what an email program should do.

            --A2K
          • Or Outlook. Or several other capable email programs. Essentially, your suggestion is that general security should be sacrificed because lazy people sometimes want to send executable files? That's weak, friend.

            Sometimes they want to send zip files with .exe files in them, too, but you can't do that either. If I want to just dash a zip file with an installer (or just a program that doesn't require installation, just unpacking) off to someone, I have to rename the zip file extension, and then they have t

        • No.

          Why don't you stop telling people how to use their computers. I want to email executables to people on occasion. It's easy. It works. Well, normally it works, unless you're using gmail.


          You're right! It works in Outlook--hey, look, I just recieved an .EXE in my email. Sweet! I think it's a funny program from my girlfriend, Loveletter.exe! Man, double-click and I get the *&!@!*^#$~~$#!`1NO CARRIER

          • See, the only thing keeping that outcome from being a happy ending for everyone but the luser that ran the attachment without knowing what it was is the fact that most ISPs are less than proactive about killing off users whose machines are spamming or what have you...
    • Hi

      There's a very easy fix for this problem: Remove the '.' from the file name, and the checker won't guess that it's an executable. Recepient puts the '.' back in, and you're all set. Works like a charm.

    • I've had this problem too. I just send the files named "TheProgram.rename_to_exe" or something like that. I also explain that it needs to be renamed before it will run because of gmail's filtering. I'll admit that it did catch me by surprise the first time, though.
  • by smooth wombat (796938) on Thursday March 02, 2006 @03:26PM (#14836938) Homepage Journal
    were good at finding holes to exploit. Any hole.

    Er, wait. Scratch that. I'm thinking of something else.
  • Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed.

    Can these same blog visitors please examine and fix my slow computer network?
  • by geobeck (924637) on Thursday March 02, 2006 @03:36PM (#14837020) Homepage

    Teenage Computer Geek Finds Hole

    Girlfriend says "Finally!"

  • If the kid was looking to better humanity, he probably would have reported the flaw to Google before blogging on it. He should read the RFPolicy [wikipedia.org] before he ends up being a scapegoat under someone's corporate bus. [google.com]
  • It is amusing that the ad at the top of the page while I read this showed the text:

    script type="text/javascript" language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/s how_ads.js"

    ...instead of the appropriate ad.

    • Well said!

      This is exactly why we should not use HTML, MIME, JAVASCRIPT, PDF, MSWORD, WTF encoding for e-mail messages. Plain ASCII does the job. If you need more, then replace the ancient SMTP protocol and include ISO standard fonts. End of story. Sadly RFC-based protocols are just patchwork. With every additional layer of encoding there are new possibilities of interference, new bugs, new security issues. Those who do not understand this matter should ask themselves why people use Javascript to encapsulate
  • The kid's code might be deadly, but after reading his blog, I notice he can barely formulate a coherent English sentence.

    - P
  • by johnkoer (163434) <johnkoer.yahoo@com> on Thursday March 02, 2006 @05:00PM (#14837728) Homepage Journal
    There is a bug in a piece of beta software??? That is unheard of.
  • by museumpeace (735109) on Thursday March 02, 2006 @05:19PM (#14837869) Journal
    it certainly underscores a strength of web based applications: It was looking like a bug one morning but by afternoon, only fixed versions of the code were to be found. Centralized reloading of gmail's servers means everybody got the fix at the same time more or less. What would the time line of such a security hole be if it occured in Outlook? Eudora?
    • It can be a double-edged sword, too. Aside from a few large applications (Windows, Office, IE), not many applications are running on tons and tons of systems. Having everyone running the same program from the same place means that if a flaw is found and not fixed quickly, *everyone* using that application is vulnerable.
  • What does running Javascript "from gmail.com" even mean? Javascript is run on a client machine. So you can put Javascript in your code, and it will parrot it back to you. How exactly is this a security vulnerability? You could run the same code from anywhere - it doesn't have to be Gmail.com supplied Javascript code. Please correct me if I don't understand, but if he just got gmail to give him back his own javascript code, there is no vulnerability. How is it going to run "from the gmail servers"? And even
    • What does running Javascript "from gmail.com" even mean? Javascript is run on a client machine. So you can put Javascript in your code, and it will parrot it back to you. How exactly is this a security vulnerability? You could run the same code from anywhere - it doesn't have to be Gmail.com supplied Javascript code.

      Because what JavaScript is allowed to do is restricted according to the site you're on. JavaScript on nastysite.com can't steal cookies from gmail.com, nor can it open and interact with page
    • i need to read faster

"Hey Ivan, check your six." -- Sidewinder missile jacket patch, showing a Sidewinder driving up the tail of a Russian Su-27

Working...