Security issues regarding Web based email (including Gmail vulnerability)

[Alan T]

I tried to find a decent way to title this post so as to not cause too much panic.

A new Gmail vulnerability was found last month that can allow a potential breaking in of your account if you happen to have another browser tab open to a "hacker infected" webpage. This new hole is by far more difficult for a hacker to take advantage or or exploit than the previously discovered cross site scripting exploits that were discovered when you had multiple tabs open.

If interested in this topic, there is a pretty decent article here that I feel tries to take the discussion down a level to be understood by more users as well as give some various possible better "usage" practices for users with web based emails:

Gmail accounts hacked via unpatched hole

[Fidatelo]

I'm curious if Chrome and IE8's usage of a separate process per tab would render this exploit ineffective?

[Alan T]

Quote:

Originally Posted by Fidatelo

I'm curious if Chrome and IE8's usage of a separate process per tab would render this exploit ineffective?

Do they share cookies across their tabs? ie: if you log in to a site on one tab and then go to a different tab for that site, do you still stay logged in on the same session?

if so then the same thing applies. This particular exploit is taking advantage of the Gmail's change password feature because it only uses a session cookie as the authenticative verifier. As long as the session remains valid across tabs, it can be used to exploit this.

Like I said before though, this is far less of a risk then the Cross site scripting vulnerability previously found which was present in ALL major browsers since this exploit also requires a brute force attack of some form as well to accomplish it.

[Radii]

showing a lack of knowledge on exactly how session IDs and cookies work... is another copy of the browser treated differently than a new tab? If I run gmail in one copy of firefox that never opens up new tabs/new sites, and then do all my other browsing and open up all my tabs in a separate instance of firefox, does that resolve the issue?

[Passacaglia]

Quote:

Originally Posted by Alan T

I tried to find a decent way to title this post so as to not cause too much panic.

Don't check your email, it will kill you!!!

[Alan T]

Quote:

Originally Posted by Radii

showing a lack of knowledge on exactly how session IDs and cookies work... is another copy of the browser treated differently than a new tab? If I run gmail in one copy of firefox that never opens up new tabs/new sites, and then do all my other browsing and open up all my tabs in a separate instance of firefox, does that resolve the issue?

Same answer that I gave above probably. If you can open a new window of Gmail in the other copy of firefox and it still uses the previous session cookies, then you are still at risk. I don't personally know how the different browsers handle different windows, so don't want to mislead anyone. I know with the firefox 3.1 beta they have a mode called "Private browsing" that they set up to protect against cross site scripting vulnerabilities that you can use to ensure no cookies get carried over to other sessions at all. I don't believe that is in the current release Firefox browser (it might be, I'm not sure)

Quote:

Originally Posted by Passacaglia

Don't check your email, it will kill you!!!

I should have totally titled this thread that, but then everyone would think it is a script for a new movie.

[DanGarion]

I think they all use the same sessions, since if you are logged in on one you can open another tab and you are still logged in.

[Mustang]

Thank god I just have a hotmail account.

[flere-imsaho]

I miss the Internet of 1991 (when I was first introduced to it).

[Alan T]

Quote:

Originally Posted by flere-imsaho

I miss the Internet of 1991 (when I was first introduced to it).

You enjoyed that tn3270 session to look through Minnesota's gopher server for good sites to download the original DOOM from? Be warned though, that 1MB file download takes several hours to download via xmodem

[flere-imsaho]

Dude, gopher was awesome.

[Galaril]

Quote:

Originally Posted by DanGarion

I think they all use the same sessions, since if you are logged in on one you can open another tab and you are still logged in.

I can confirm they do use the same session cookie. This was an exploit I have used in a past organization where I was an ethical hacker.

[DanGarion]

Quote:

Originally Posted by Alan T

You enjoyed that tn3270 session to look through Minnesota's gopher server for good sites to download the original DOOM from? Be warned though, that 1MB file download takes several hours to download via xmodem

Give me back Lynx.

[Ksyrup]

Although I've had a GMail account as my primary email address for at least 4-5 years, I rarely, if ever, check it online. I mostly read it on my BB, and then either delete it then or download it straight to my home computer and mess with it there. I really have no reason to go to gmail.com.

[Alan T]

Quote:

Originally Posted by DanGarion

Give me back Lynx.

I still use lynx all the time, that really isn't out dated at all. I often have network devices that are on linux based platforms that I have to configure remotely but use a web gui. So I have to console in and configure via a text only web gui to provide them the correct network information to be alive on the network before I can finish configuring them via a normal web browser over the network.