Google's Gmail service suffers from security flaws that make it trivial for attackers to create authentic-looking spoof pages that steal users' login credentials, a security expert has demonstrated. Google Calendar and other sensitive Google services are susceptible to similar tampering. A proof-of-concept (PoC) attack, …
Maybe I'm being dumb but
the page (alleged exploit) you link to appears not to be https and has no padlock in the browser, despite being the kind of page where sensible people might understandably want to see a padlock and/or https.
Now, I don't use googlemail and I'm not a web expert but when I went to mail.google.com I got https: in the address bar and a padlock in the status bar.
Did the author of the article try this?
Did the author of the article consider this ?
Is there any real significance of this exploit in the bigger picture? E.g. what kind of person would be fooled by this alleged "exploit", and if the victim can't tell the difference between secure and insecure why do they deserve an Interweb driving licence anyway?
Or have I misunderstood?
Have a nice weekend.
As per the first comment, "Don't feed the troll". He's not going to read your responses anyway.
What would Jesus have said?
Give a man a fish, you feed him today.
Teach a man to phish...
@Dumb Jodo Kast
I kinda like feeding trolls, and you know if walks like a troll and it quacks like a troll, then you be needing feeding.
The upper frame is the problem here, if the person can get that to not display, then fine there is grounds for concern, though HTTPS is the thing you should be looking at.
And I suspect they cannot drop the top frame, so is it a problem? I would imagine anyone trying it on would get detected by Google who would probably prosecute.
Oh and just so you know, there is a loose and fast league of ACs around these parts, an attack on one is an attack on all, think of us as being like NATO.
@ Anonymous Coward : You over-estimate the general populace. How many people get infected with spyware/malware/viruses every day? How hard is it to think - "Do I really want to install this thing I didn't ask for that popped up in my face? yes/no" /click yes anyway.
If you try to use HPPTS the web page will error with an invalid security cert. because the page is not what gmail.com is serving.
@ Andrew Langhorn : He was doing a proof of concept - reproducing the web page with malicious code.
The wisdom of crowds (and journalists)
If there is a basic, fundamentally obvious, difference (padlock/https) between the real thing and the fake, one which could make the fake largely pointless, surely the article should have mentioned it? (Does it mention it?)
Whether or not Surfing Jo Public would notice this difference is a very fair question, which would also have been worth a mention in the original article.
Basically the same XSS vulnerability was submitted to XSSED.com over a year ago.
Old news indeed :)
@Maybe I'm being dumb but...
"if the victim can't tell the difference between secure and insecure why do they deserve an Interweb driving licence anyway"
I supplement my income by offering a "Home Computer MOT service" to staff at work. I can honestly swear that none of them would notice. In my book you shouldn't be able to have a computer, never mind Internet access without being able to demonstrate that you're not a clueless idiot. The flipside being that if this wasn't the case, then I'd have less beer money.
Them's the breaks.
I'm with Nauip on this one.
This has been there for ages
You've been able to fake a "comments" line in Blogger for ages. Because Blogger logins are Google logins, this allows Google credentials to be easily captured.
I think the problem is that the Google login covers a range of stuff from blog comments (where one doesn't really care that much about being cracked) through to email and payment facilities.
Plus user-generated content is what they're all about.
They should really sell/give away a really easy to use two-factor authentication dongle.
In all honesty...
...this bug is one of the less severe variety.
If you're idiotic enough to put your credentials into a page that has a "Below is the image in its original context on the page" banner at the top then you deserve to be scammed full stop. I really really wish El Reg would stop jumping onto the 'bug bandwagon' that's been going around lately and stop advertising these idiot "security researchers". They're bums!
- Updated Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
- Elon Musk's LEAKY THRUSTER gas stalls Space Station supply run
- Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Android engineer: We DIDN'T copy Apple OR follow Samsung's orders