The exploit, similar to the one David Airey was a victim of in December 2007 when his site was hijacked, caught our attention thanks to Philipp Lenssen's post this morning over on Blogoscoped. While the general consensus is that Google had fixed the vulnerability, turns out it's still there.
How the Gmail Exploit Works
It begins when you visit a malicious site while logged into Gmail. Whether the link is initiated through your Gmail account or not, the malicious site can access your internal credentials.
The malicious site then, unbeknownst to you, can create an automatic filter that diverts your e-mail to a different e-mail account. Given all this happens on Google's mail servers, you are none the wiser until you look at your filters. A detailed write up about this process is available at GeekCondition: Gmail Security Flaw Proof of Concept.
Along with gaining access to private messages, this exploit once in place compromises all future e-mails in your Gmail account. MakeUseOf points out that if your Gmail details are registered as the contact details for any domain registrations, your domain can be hijacked and held to ransom by the use of account recovery and password resetting tools on your domain host account without your knowledge.
The Timeline: What is Google Doing About This?
September 25, 2007
GNUCitizen's Petko D. Petkov suggested that Gmail has a security flaw and partially described the cross-site request forgery exploit.
September 28, 2007
GNUCitizen updated the post to include the proof of concept based on information that Google had fixed the flaw.
October 1, 2007
ZDNet published a post by Kaspersky Labs security evangelist, Ryan Naraine that stated the exploit had been patched, but still recommended, at Google's suggestion, that people check their filter lists because the patch did not remove filters that were already compromised.
November 20, 2007
David Airey's site is hijacked, redirected and held to ransom. Airey claimed it was the result of the Gmail exploit exposed by GNUCitizen in September.
November 2, 2008
The bad guys hijacked MakeUseOf's domain and redirected it to a parked domain. Editor-in-chief Aibek, confirmed the attack saying that the hackers gained access to the domain information by setting up a forward filter in Gmail.
What to do about it
Aibek, in a more recent post details the hijacking of MakeUseOf and offers four suggestions:
- Check your filters and disable IMAP
- Stop using Gmail as the contact e-mail for sensitive information (and change e-mail details on any current sensitive accounts)
- When registering domains, ensure you upgrade to private registration
- Don't open links in e-mails if you don't know the person they're coming from or log out first.
Geekamongus also recommends encrypting your browser connection, an option available on the main settings page in Gmail.
Remember, opening up a new tab, or even a new instance of a browser is ineffective and still leaves you open to attack. In a discussion over on YCombinator one suggestion for FireFox users is to use Gmail in a different browser profile. You could also consider using different browsers when logged into Gmail.
Clearly this is an ongoing problem but what isn't apparent is whether this is a new exploit or just the original that hasn't been resolved. Either way, you should make it a point of reviewing filters on all of your Gmail accounts to make sure the only filters in place are those that you created.
Here at RWW, we love Google's Gmail, and have written about it often. We've also discussed Google's lack of response to complaints, and the unfortunate things Google has done with Gmail in the past. However, we'd like to think e-mail security sits somewhere at the top of Google's list of priorities.
Of course, it wouldn't hurt if ISPs everywhere decided to offer private registrations as standard without an additional charge, but that's another story.
Since publishing this post we have been in contact with a Google spokesperson who gave us this quote:
"We're trying to reach the blogger making this claim for more details, but we haven't seen evidence that this would be specific to Gmail -- we use standard industry methods for protecting cookies, similar to most web services using HTTP. In fact, we offer additional protection by offering the option of a secure connection (HTTPS) throughout the session for free."