Teenage Blogger Finds Gmail Hole 268
cpm80 wrote to mention the news that a 14 year old blogger has identified a security hole in the Gmail webmail service. From the Network World article: "He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane, he wrote. But if the code is mailed from one Gmail account to another, it is filtered out, he said. Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed."
So the story is? (Score:5, Funny)
Stuff that matters huh?
Well... (Score:2)
As the old slashdotism proclaims: "Nothing to see here. Move along"
-- oh and that they read Digg... :-) (Score:2)
Re:-- oh and that they read Digg... :-) (Score:2, Insightful)
Re:-- oh and that they read Digg... :-) (Score:3, Insightful)
Some examples from the front page of Digg.com:
--"Women will get sterile just looking at you", Star Wars fans uncool??
A man was so bold as to blog that being a hard core Star Wars fan is social suicide. He backed up his statement with some hilarious convention pics
Re:So the story is? (Score:2)
Sick kid! (Score:2)
Fixed (Score:5, Informative)
Lack of Responsibility (Score:2)
Dude, he's 14! (Score:3, Funny)
If this was a security expert or professional programmer or the like, I'd agree. But he's 14! Teenagers nowadays can barely open a door without first blogging about the experience. He saw something, he said he saw something. Now he gets a little recognition, Google fixes it and everyone goes home happy.
Re:Yes, but remember this is post 9/11 (Score:2)
The world is run by small-minded militaristic plutocrats with no concern for human life or the future of the planet who rule by intimidation and fear.
On March 2, 2006:
The world is run by small-minded militaristic plutocrats with no concern for human life or the future of the planet who rule by intimidation and fear.
Brave New World, eh?
Re:Lack of Responsibility (Score:2)
Once you tell a company of the issue, it then becomes possible for that company to take actions to shut you up.
Not surprising (Score:4, Interesting)
Google have shown repeatedly that they don't understand how to deal with Javascript securely. Example [jibbering.com].
Outdated (Score:2)
Re:Outdated (Score:2)
So the fact that they ignored a security hole for two years and then botched the fix is unimportant, because it's fixed now?
Re:Outdated (Score:4, Funny)
Yeah! Yeah! Because... because Google are different OK?! They do NO EVIL! I mean "Don't be Evil", I mean, not like M$, I mean.....
Re:Outdated (Score:2)
Re:Not surprising (Score:2)
Re:Obligatory grammar nazi reply (Score:2)
Sorry, but you are wrong. The treatment of group nouns as plural is perfectly normal and acceptable outside of America. Consult your international grammar nazi style guide for details.
Re:Not surprising (Score:2)
That's precisely the problem. Instead of only allowing known-safe protocols, they've let everything through but particular ones they know are unsafe. Anybody with five minutes' experience knows that is a recipe for disaster - do you really think you can anticipate everything that is likely to be unsafe? Including things like java\script, java\nscript, view-source:, etc? Including proprietary, undocumented Internet Explorer-isms and Netscape-isms? This is precisely the attitude that left MySpace wide o
Re:Not surprising (Score:2)
Rule #5 of network security: enumerate goodness, not badness.
it goes right along with rule number 1: default=deny, not permit
Gmail security can be over agressive too (Score:3, Insightful)
I'm all for Google not doing stupid things on their web interface, but I don't think they should be encouraged to be even more agressive and invasive as to what we send and receive in our e-mail. Claiming you are doing this for the users' protection just assumes that all of your users are idiots, and if you build a system that repeatedly makes that assumption then eventually all of your users will be idiots, as you will drive the others away.
Re:Gmail security can be over agressive too (Score:2)
Email is probably the wrong tool for this task (Score:4, Interesting)
Google is RIGHT in doing such filtering, although perhaps they should make it clear to users up front on its filtering policies rather than waiting for them to discover it for themselves. Besides, even if outbound executable attachments are blocked how many corporate systems permit them inbound? My employer blocks inbound executables unless you're in certain departments, and the majority of our clients do as well. These systems are getting very smart too--they analyse the actual content of the file rather than the extension and even if you rename your
The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such files (that is what I do anyways).
There are some cases where email is the most convenient, such as for non-executable documents (I avoid sending
I don't think GMail and other mail systems need to be "fixed"...I think that people have to get out of the mindset of using email to exchange files. Use secure FTP or even HTTPS...or even better for big files use Bittorrent. It annoys me when people complain about limits on email attachments just like it annoys me when people use Excel to create "databases". At least learn to use MS Access dammit...it isn't THAT hard!
Re:Email is probably the wrong tool for this task (Score:2)
But it's a pretty good tool for transfering small files. If you are worried about who he message comes from then only take attachments from cryptographically signed emails from senders you trust.
Re:Email is probably the wrong tool for this task (Score:2)
Until then, don't send EXE's through Gmail, not just because they won't let you, but because it's a bad idea.
Re:Email is probably the wrong tool for this task (Score:2)
Re:Email is probably the wrong tool for this task (Score:3, Insightful)
Re:Email is probably the wrong tool for this task (Score:2)
Re:Email is probably the wrong tool for this task (Score:2)
Re:Email is probably the wrong tool for this task (Score:2)
I mentioned what the point is in my original post--for small, non-executable files mostly of a documentation-use nature. If it is a spreadsheet (WITHOUT garbage like VBS macros) or an elecronic copy of a user manual, or an image or other "rich media" that is not alphanumeric in nature (within reason--I'd dislike flash games being sent as an attachment for example).
But sending me
Re:Email is probably the wrong tool for this task (Score:2)
It doesn't make it "abuse of email" just because you don't want large attachments. It might be abuse of you, and yes, I would expect people who care about your opinion to avoid mailing you large attachments, but it doesn't say anything about the world at larg
Re:Email is probably the wrong tool for this task (Score:2)
Except that is IS an abuse because it clogs email servers as large attachments sit in inboxes waiting to be opened. This means the resources of the email server are strained for every user...it isn't simply a matter of what *I* want
An email is a file. It's got a standard format and it gets sent from host to host.
No, an email is NOT a file--it wasn't originally anyways. Perhaps it is common today for email systems to treat a
Re:Gmail security can be over agressive too (Score:3, Informative)
Re:Gmail security can be over agressive too (Score:2)
Re:Gmail security can be over agressive too (Score:2)
Aww. How horrible.
Email attachments are perhaps the worst imaginable way of distributing executables. It's too bad that your clients don't know of or care about alternative delivery systems, but that's not enough for me to conclude that Gmail was overbearing or foolish in forbidding EXE attachments.
Re:Gmail security can be over agressive too (Score:2)
Aside from using myspace or something, how do you propose that people send files to people so that they can download them when the sender is no longer connected? And when neither one has a 24x7 internet connection?
Re:Gmail security can be over agressive too (Score:2)
So because some people can't control their sphincters, others must incur additional costs? Great. I see we're working on the U.S. Government model.
Re:Gmail security can be over agressive too (Score:2)
Re:Gmail security can be over agressive too (Score:2)
I suggest this program:
You may refer to it as "runme.bat" or similar, if you like.
Re:Gmail security can be over agressive too (Score:2)
Wrong.
Gmail's is the intended behavior. Use FTP for EXEs, or even CDs.
Re:Gmail security can be over agressive too (Score:3, Insightful)
No.
Why don't you stop telling people how to use their computers. I want to email executables to people on occasion. It's easy. It works. Well, normally it works, unless you're using gmail.
Re:Gmail security can be over agressive too (Score:2)
Or Outlook. Or several other capable email programs. Essentially, your suggestion is that general security should be sacrificed because lazy people sometimes want to send executable files? That's weak, friend.
Since most people run Windows, and most people have file extensions hidden (a STUPID default), most people will think anna_kournikova.jpg.exe is an image, and open it.
Email prog
Re:Gmail security can be over agressive too (Score:2)
Absolutely agreed.
But here is where you missed the point of this discussion. This is a smart user who has already tried to renaming and zipping a legit
--A2K
Re:Gmail security can be over agressive too (Score:3, Insightful)
Sometimes they want to send zip files with .exe files in them, too, but you can't do that either. If I want to just dash a zip file with an installer (or just a program that doesn't require installation, just unpacking) off to someone, I have to rename the zip file extension, and then they have t
Re:Gmail security can be over agressive too (Score:2)
You're right! It works in Outlook--hey, look, I just recieved an
Re:Gmail security can be over agressive too (Score:2)
Re:Gmail security can be over agressive too (Score:2)
There's a very easy fix for this problem: Remove the '.' from the file name, and the checker won't guess that it's an executable. Recepient puts the '.' back in, and you're all set. Works like a charm.
Re:Gmail security can be over agressive too (Score:2)
Re:Gmail security can be over agressive too (Score:2)
Re:Gmail security can be over agressive too (Score:2)
Re:Gmail security can be over agressive too (Score:2)
Re:Gmail security can be over agressive too (Score:2)
Re:Gmail security can be over agressive too (Score:2)
Re:Gmail security can be over agressive too (Score:2)
I thought teenagers. . . (Score:5, Funny)
Er, wait. Scratch that. I'm thinking of something else.
Blog Visitors (Score:2)
Can these same blog visitors please examine and fix my slow computer network?
So the attention grabber headline is... (Score:5, Funny)
Teenage Computer Geek Finds Hole
Girlfriend says "Finally!"
Re:So the attention grabber headline is... (Score:2)
Some of us geeks haven't had this particular issue. Some of us actually have children.
I laughed until tears when I read this. Thanks for making my day.
Re:So the attention grabber headline is... (Score:2, Funny)
Teenage Computer Geek Finds Hole
Girlfriend says "Not that hole! Pull it out! Pull it out!!"
Re:So the attention grabber headline is... (Score:2)
"All jocks think about is sports. All nerds think about is sex."
- Revenge of the Nerds
When we do finally get girlfriends, all the academic knowledge from all the pr0n we watch comes in handy.
Re:So the attention grabber headline is... (Score:2)
Re:So the attention grabber headline is... (Score:2)
Re:So the attention grabber headline is... (Score:2, Insightful)
*sigh*... All of the thoughtful, serious replies I've given to /. topics, and my first +5 comes from a crack like this.
(No pun intended.)
Great, another spammer in training (Score:2)
Re:Great, another spammer in training (Score:2)
From the linked page:
Please pardon me if I don't give a fuck what was written by someone calling themselves "Rain Forest Puppy".
Re:Great, another spammer in training (Score:2)
Re:Great, another spammer in training (Score:2)
amusing (Score:2)
script type="text/javascript" language="JavaScript" src="http://pagead2.googlesyndication.com/pagead/s how_ads.js"
...instead of the appropriate ad.
Re:amusing (Score:2)
This is exactly why we should not use HTML, MIME, JAVASCRIPT, PDF, MSWORD, WTF encoding for e-mail messages. Plain ASCII does the job. If you need more, then replace the ancient SMTP protocol and include ISO standard fonts. End of story. Sadly RFC-based protocols are just patchwork. With every additional layer of encoding there are new possibilities of interference, new bugs, new security issues. Those who do not understand this matter should ask themselves why people use Javascript to encapsulate
Elements of Un-Style (Score:2, Funny)
- P
Stop The Presses!!! (Score:3, Insightful)
Re:Stop The Presses!!! (Score:2)
if you take the story at face value, (Score:3, Insightful)
Re:if you take the story at face value, (Score:2)
Was it exploitable? (Score:2)
Re:Was it exploitable? (Score:2)
Because what JavaScript is allowed to do is restricted according to the site you're on. JavaScript on nastysite.com can't steal cookies from gmail.com, nor can it open and interact with page
Re:Was it exploitable? (Score:2)
Re:Security flaw? (Score:2, Interesting)
He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane...
in *a* preview pane... what preview pane... where? Yahoo's preview pane? How is that google's problem?
I'm totally confused...
Re:Security flaw? (Score:2)
Re:Security flaw? (Score:2, Insightful)
The preview pane is what you see before you read the message (when the list of messages is displayed - e.g. your Inbox).
Re:Security flaw? (Score:3, Informative)
Basically - you don't want someone to be able to send you javascript that will execute when you read a message. It can allow the attacker far to much leeway (within the confines of your browser)
Here's an (old) example [com.com] that affected Microsoft's hotmail service that gives you an idea of why you don't want want javascript sent to you to execute.
Less seriously - it makes it trivial for spammer to verify that someone i
Re:Security flaw? (Score:2)
It says that when you send an email from gmail, the code is removed. When you send it from Yahoo, the code executes right in the gmail inbox preview. The fact that javascript from the email executes in the gmail inbox is the security hole - anybody can email javascript to you and it will execute without your permission.
But anyway, the hole must be fixed, I can't reproduce the problem, either.
Re:Security flaw? (Score:2)
Re:Security flaw? (Score:2)
Re:Just one flaw (Score:3, Interesting)
If you can get somebody to execute Javascript of your choosing in the security context of the gmail.com domain, then you can fairly easily write a worm that reproduces by emailing itself to everybody in your contacts list. A worm like that does stand a chance of bringing down the system.
Re:In other news... (Score:2)
Re:In other news... (Score:2)
Re:In other news... (Score:2)
Re:In other news... (Score:2)
Re:This is embarrassing (Score:2)
Embarassed about a typo on /.?
You really must be new here.
Re:How long until he's in Gimto (Score:2)
Re:How long until he's in Gimto (Score:2)
Re:How long until he's in Gimto (Score:2)
Re:How long until he's in Gimto (Score:2)
Re:How long until he's in Gimto (Score:2)
Re:"Reads like a grade-school short story", I said (Score:2)
It doesn't look as though things have made significant advances since then.
Re:What's the issue here? (Score:2)
Re:What's the issue here? (Score:2)
Re:Digg (Score:2)