Gmail and the 'traps'
I am a fan of gamil. I love it. Now, I read all these reports of security holes in gmail, that it's vulnerable to "hacker" attacks and that gets me thinking whether all the people who read such reports actually understand them.
This report actually explains the exploit. The task is very simple. Let me run doen the points for all:
Gmail stores a cookie in the users' computer to identify them. Now whoever has this cookie on his computer can imitate to be the rightful user to Gmail. So "hackers" exploit the security hole in the service's user identification to grab this cookie.
What's interesting is that if a user changes his password later, he is still not safe 'coz the "hacker" still has the same cookie as you. Quoting from the report "The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he pleases, and it still won't stop the hacker from using his box".
The only thing the "hacker" needs is your userid. Like I explained in my previous post, WWW is saturated with good ids, so it is not a huge task to guess ids.
Google has now said that this threat has ben taken care of and that the "hole" has been shut. Phew. I won't suggest folks to stop using gmail on this account, 'coz look at the bright side, the hole got fixed quickly. But such threats become even more threatening because they provide for easy identity theft.
This report actually explains the exploit. The task is very simple. Let me run doen the points for all:
Gmail stores a cookie in the users' computer to identify them. Now whoever has this cookie on his computer can imitate to be the rightful user to Gmail. So "hackers" exploit the security hole in the service's user identification to grab this cookie.
What's interesting is that if a user changes his password later, he is still not safe 'coz the "hacker" still has the same cookie as you. Quoting from the report "The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he pleases, and it still won't stop the hacker from using his box".
The only thing the "hacker" needs is your userid. Like I explained in my previous post, WWW is saturated with good ids, so it is not a huge task to guess ids.
Google has now said that this threat has ben taken care of and that the "hole" has been shut. Phew. I won't suggest folks to stop using gmail on this account, 'coz look at the bright side, the hole got fixed quickly. But such threats become even more threatening because they provide for easy identity theft.
posted by LinuxLala at
3:55 PM
