back to article 'High impact' Gmail password security hole blew accounts wide open

Google has fixed a "high impact" security bug in Gmail's password reset system that could have left any account wide open to a crafty hijacker. The flaw, spotted by security researcher Oren Hafif, was exploited by sending a spoofed email that reminds the Gmail user that it's time to reset their password. Clicking on the link …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    That music!

    I think I'll keep replaying this video all night!!!

    1. Tim Parker

      Re: That music!

      "backed by some Euro happy house ... that will have you reaching for the glowsticks and green lasers"

      It had me reaching for something alright....

      1. TitterYeNot

        Re: That music!

        "It had me reaching for something alright...."

        Indeedy. I was just waiting for the 80's to call and ask for their groove back...

  2. codeusirae

    XSS cross-site request forgery ..

    "That hacker-controlled site also initiates a cross-site request forgery attack via XSS that tricks Google into handing over the victim's login cookie."

    I thought the hack tricks the browser into handing over the login cookie?

  3. Cliff

    Exactly how bug bounties should work

    Someone spots an exploit, tells the company, they fix it, they give the person some cash.

    Hope it was decent cash, it was a decent catch after all.

  4. d3rrial

    Uhm?

    Isn't that how phishing works? I mean, what could google possibly do to prevent phishing mails like this? Also I doubt that this is a bug in their system, and much rather a bug in their users...

    1. ratfox

      Re: Uhm?

      There are not a lot of details, but there must be more to it than phishing. The link in the phish looks like a legit google.com address, protected by https and all. There must be some more serious trickery behind the scenes.

      1. FromTheRoot

        Re: Uhm?

        A typical "phishing" attempt, just expects to get the username and password from a user by mirroring the look of the site - this particular hack was doing this but also subverting all of Google's other failsafes (2-step etc) by also fooling Google's backend servers into giving it a login cookie, when it really should not have been giving one hence the bug - perhaps by also mirroring Google's request for this login cookie in a way that succesfully fooled their systems......security isn't my day job (although I.T. certainly is!), but it was more than your typical "phishing" attempt, but as others have noted, it still would have required somebody to actually click the link in the initial e-mail......

        Losing control of your e-mail account (especially your Google account), for me, means almost losing my current identity, I am looking for ways to shift that control back to myself, by perhaps having my own linux mail server and then using this address instead of Google's, meaning, I can choose what information I might want to send to Google (for the convenience and use of their excellent software.....), and all e-mails initially arrive at an address other than the one I publicise.

        Of course this then leaves my servers open to the WWW and I then have to secure this myself......

  5. Barry Rueger

    Been There. Didn't Do That.

    I believe that e-mail hit my in-box last week? Ignored it of course.

  6. Anonymous Coward
    Anonymous Coward

    Worthless phish. Unless...

    Unless the user was so stupid as to not have opted into 2-step verification after how many hundreds of warnings and reminders by Google?

    These are the same people who think that 2-step verification is too much trouble on their banking website.

    What did the comedian Ron White say? "You can't fix stupid".

    1. Anonymous Coward
      Anonymous Coward

      Re: Worthless phish. Unless...

      Well, maybe if my bank hadn't specifically promised, on every screen, that it would never require the card reader to log in, this could be easily improved in my case.

    2. Tom 13

      Re: 2-step verification is too much trouble on their banking website.

      Well, in the US it is pointless. Maybe you Brits have real 2 step verification, but at least as implemented in the US, a man-in-the-middle attack subverts it. First I login with my 4 digit PIN, then it put up a screen and asks for my password. Which as far as I'm concerned is just a disjointed long password. If you've clicked on the phishing link and I've popped up the fake screen, I just run a separate session to send the info to the bank. When the bank show your private picture and word phrase, I pass them to you. I can see where I login and it sends a code to my phone or email account that I then have to type in to complete the transaction would work, but not the crap they call 2 factor over here.

  7. John Smith 19 Gold badge
    Unhappy

    Fix a major security hole in their complimentary email service.

    Remember people.

    It's Gmail.

    The security hole is you're using it.

    1. DryBones

      Re: Fix a major security hole in their complimentary email service.

      Wow. There's something that couldn't be applied to lots of other companies like Facebook- oh, wait.

      Companies use the information you give them, to think otherwise is naive. At least Google (unlike the NSA and others that do metadata/keyword work) is giving you something for sharing your data, which is to help you organize it, spit back some of the results of its data mining by presenting things of interest to you (maps, weather, sports, local events, search).

      They pay for it by providing companies with a funnel that they can dump their ads into, and have them show up for people that are likely to want to buy them. Companies are not paying to unmask you. They are paying to get their ads shown to those that are most likely to respond to them by buying, thus giving those companies money for their investment.

      1. This post has been deleted by its author

  8. Pascal Monett Silver badge

    fixed it within 10 days ?

    Now THAT has to be an industry-wide record.

    Not bashing Google - on the contrary, someone flagged a serious problem, Google assigned it a high priority and IT GOT DONE. Then the useful researcher got his due.

    Which is the way it should be.

    Unfortunately, many other companies should take note of this (eh, Yahoo! ?).

This topic is closed for new posts.

Other stories you might like