Thursday, April 23, 2009

Exploits allowing hackers to break into Gmail accounts

Gmail accounts hacked via unpatched hole

Exploits allowing hackers to break into Gmail accounts are likely to occur, if they're not already circulating, after security researchers released details of a hole that Google has reportedly declined to patch.

There are steps you can take to reduce the risk of using a webmail account, but it appears that the usual tricks won't solve the Gmail problem until Google fixes the software.

The weakness that researchers say afflicts Gmail, belongs to a class of attacks known as cross-site request forgery (CSRF).

Besides Gmail, CSRF holes affecting YouTube, Netflix, and have also been found and repaired in the past. CSRF attacks use security flaws in cookies, password requests, and other interactive Web components to intercept communications between your browser and a Web site's server.

The first report of the Gmail problem within security circles was written by Vicente Aguilera Díaz of Internet Security Auditors (ISA) on July 30, 2007. The next day, ISA issued an alert and included a proof of concept illustrating how the exploit could be used to change a Gmail account password.

After more than a year during which, according to ISA, Google was repeatedly contacted privately about the problem researchers publicly released a detailed description of the exploit on March 3, 2009, according to a Secure Computing article.

CSRF attacks — which are also referred to as session-riding — are different from the more-widely known cross-site scripting (XSS) exploits. XSS holes allow a malicious Web site that's open in one browser window to inject JavaScript into another site's page that's open in a separate window or tab. Once the unwanted script is running on a PC, the code can try to collect private data and passwords and transmit them back to the attacker's server.

XSS vulnerabilities have recently been discovered and patched in many browsers and on many sites, including Yahoo Mail and Hotmail as well as Gmail.

Google, Yahoo, and other Internet services cover themselves by stating that you use the services at your own risk. A major threat of using any webmail service is that a hacker could swipe or guess your password and take over your account. Fortunately, the Big Three webmail services — Gmail, Yahoo Mail, and Hotmail — and many other Web sites provide protection for their sign-in sessions using Secure Sockets Layer (SSL) encryption. SSL enables a Web browser to scramble any sign-in data.

Using https does prevent traffic sniffing and so-called man-in-the-middle attacks, so you should enable it regardless of whether Gmail's CSRF hole is ever patched. To benefit from encryption when accessing Gmail, you should configure the service to use SSL by default. To do so, click Settings in the top-right corner of the main Gmail window, select Always use https in the "Browser connection" section at the bottom of the General tab, and click Save Changes. My advice to all my readers is to start taking advantage of this service to keep yourself protected from such incidents.

No comments: