Teenage Blogger Finds Gmail Hole 268
cpm80 wrote to mention the news that a 14 year old blogger has identified a security hole in the Gmail webmail service. From the Network World article: "He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane, he wrote. But if the code is mailed from one Gmail account to another, it is filtered out, he said. Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed."
Re:Security flaw? (Score:2, Insightful)
The preview pane is what you see before you read the message (when the list of messages is displayed - e.g. your Inbox).
Gmail security can be over agressive too (Score:3, Insightful)
I'm all for Google not doing stupid things on their web interface, but I don't think they should be encouraged to be even more agressive and invasive as to what we send and receive in our e-mail. Claiming you are doing this for the users' protection just assumes that all of your users are idiots, and if you build a system that repeatedly makes that assumption then eventually all of your users will be idiots, as you will drive the others away.
Re:Email is probably the wrong tool for this task (Score:3, Insightful)
Stop The Presses!!! (Score:3, Insightful)
Re:Gmail security can be over agressive too (Score:3, Insightful)
No.
Why don't you stop telling people how to use their computers. I want to email executables to people on occasion. It's easy. It works. Well, normally it works, unless you're using gmail.
if you take the story at face value, (Score:3, Insightful)
Re:So the attention grabber headline is... (Score:2, Insightful)
*sigh*... All of the thoughtful, serious replies I've given to /. topics, and my first +5 comes from a crack like this.
(No pun intended.)
Re:Gmail security can be over agressive too (Score:3, Insightful)
Sometimes they want to send zip files with .exe files in them, too, but you can't do that either. If I want to just dash a zip file with an installer (or just a program that doesn't require installation, just unpacking) off to someone, I have to rename the zip file extension, and then they have to rename it, or I have to go into the zip file and rename the .exe, which they have to rename. It's not that I'm not capable of it, because clearly I am - I can string words together into sentences, and have more than two neurons to rub together - but that I think it's lame. At the very least I should have a configuration option I can use to turn off that behavior.
Why should I have to fuck around just because people are stupid? The best reason to block .exe attachments outgoing is to stop worms from propagating. However, worms can pick a filename for an .exe like .exe.delete-this-extension just like anyone else can, so it won't help there, it only causes people to modify their tactics. Also, google shouldn't be susceptible to spreading a worm attack (barring javascript FUBARs) because you can't run code on gmail anyway.
A better behavior would be to harass people who download .exes and tell them that they may summon satan all over their hard drive, so that those of us who have legitimate reasons to send them aren't punished for the stupidity of others.
Re:-- oh and that they read Digg... :-) (Score:2, Insightful)
Re:-- oh and that they read Digg... :-) (Score:3, Insightful)
Some examples from the front page of Digg.com:
--"Women will get sterile just looking at you", Star Wars fans uncool??
A man was so bold as to blog that being a hard core Star Wars fan is social suicide. He backed up his statement with some hilarious convention pics and captions.
--Hidden task killer in Windows XP!
Most people probably know that Windows XP comes with a darn useful task killer. Lets you kill anything automatically!
--Zombie MMO???
A buddy of mine just forwarded me this link. Turns out the name mean lifeless in Latin. Does anyone know anything about this? I'm a HUGE Zombie and HUGE MMO fan!!!
--EA's Exclusive Contract With The NFL May Be Voided!
If the dispute between the NFLPA and the NFL continues then anti-trust rules will apply. If this happens then EA's contract is null and void!
--LEGO brick USB drive
The perfect USB drive. Why doesn't LEGO sell these?
So what is Digg? A news site, or a place for geeks to dump their filth? Sorry, I don't go out of my way online to read garbage, and that includes teasers written by retards. And I'm not even going to bother replicating some of the comments here.
Re:Gmail security can be over agressive too (Score:2, Insightful)
Complete straw man, drinkypoo suggested nothing of the sort.
The _sacrifice_ in security is the use of insecure clients and/or insecure OSes. Bits are bits, bytes are bytes, no bits or bytes are more insecure than any other bits or bytes - it's the actions performed on those bits or bytes that can be insecure.
The lazy people are the people who don't go to enough effort to install secure software.
FP.