Teenage Blogger Finds Gmail Hole

cpm80 wrote to mention the news that a 14 year old blogger has identified a security hole in the Gmail webmail service. From the Network World article: "He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane, he wrote. But if the code is mailed from one Gmail account to another, it is filtered out, he said. Some visitors to the blog reported being able to replicate the findings, but others said later that they were not able to and that the supposed flaw had been fixed."

Re:Security flaw?

[triptolemus]

You're not dense, the article is...

He wrote that he was trying to e-mail JavaScript code from a Yahoo account to a G-mail account. The code will run in a preview pane...

in *a* preview pane... what preview pane... where? Yahoo's preview pane? How is that google's problem?

I'm totally confused...

Not surprising

[Bogtha]

Google have shown repeatedly that they don't understand how to deal with Javascript securely. Example [jibbering.com].

Re:Just one flaw

[Bogtha]

it's not like there's a risk of taking down the system with this single bug

If you can get somebody to execute Javascript of your choosing in the security context of the gmail.com domain, then you can fairly easily write a worm that reproduces by emailing itself to everybody in your contacts list. A worm like that does stand a chance of bringing down the system.

Email is probably the wrong tool for this task

[WebCowboy]

Gmail blocks outbound attachments with exe files, even when those files are included inside zip files.

Google is RIGHT in doing such filtering, although perhaps they should make it clear to users up front on its filtering policies rather than waiting for them to discover it for themselves. Besides, even if outbound executable attachments are blocked how many corporate systems permit them inbound? My employer blocks inbound executables unless you're in certain departments, and the majority of our clients do as well. These systems are getting very smart too--they analyse the actual content of the file rather than the extension and even if you rename your .exe to .abc, ZIP it and rename the .zip extension .xyz our system will check the header content of the files' data and determine it is a ZIP, then extract the files inside to examine THEM if that is how you configure it.

The point is that email was not designed for file transfer and probably will never be the best tool for that purpose. Unfortuantely it cannot always be avoided but it should be whereever possible. If email was seen as a good way to transfer files then FTP wouldn't have been invented--people would've extended email to do it from the start. Since FTP is still around today and is now extended to secure FTP with SSL encryption and authentication THAT is the tool that professionals should use to send such files (that is what I do anyways).

There are some cases where email is the most convenient, such as for non-executable documents (I avoid sending .docs since I consider then "executable"--I send PDFs instead), smaller files and so on. For dealing with more novice users I send an email with the link to the file to click, and for getting files from them I set up a simple HTTPS "gateway" with a file submission form. Just as simple as attachments (for the client anyways) and more secure.

I don't think GMail and other mail systems need to be "fixed"...I think that people have to get out of the mindset of using email to exchange files. Use secure FTP or even HTTPS...or even better for big files use Bittorrent. It annoys me when people complain about limits on email attachments just like it annoys me when people use Excel to create "databases". At least learn to use MS Access dammit...it isn't THAT hard!