Hackers hit Google usersWorld Wide Web golden child Google has been caught out by hackers and forced to fix ID theft and privacy problems. Since releasing their extremely successful search engine, the company has branched out by offering more services. That should be good news considering its spotless image - however, it seems to be suffering from a lack of pre-release security testing. On 30th October, Google fixed a security hole in its webmail service, Gmail, the service which allows users to store 1 Gigabyte of email. The exploit allowed full access to a user's email account. Using a cross-site scripting link, the victim's cookie file could be stolen, allowing the thief to potentially identify him/herself to Gmail as the original owner of an email account without the need of a password. Even if the victim changed the password afterwards, it made no difference. Cross-site scripting exploits are a favourite of criminals who use phishing scams to lure victims. Practical application of cross-site scripting or 'XSS' is covered in 7Safe's "Hacking Insight: Hands-on 2" training course should readers wish to understand it more thoroughly. Israeli hacker Nir Goldshlagger, who discovered the problem, explained to Nana NetLife Magazine; "The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he pleases, and it still won't stop the hacker from using his box". It goes without saying that online services such as Gmail really should undergo security testing (application penetration testing) for bugs like this before release. Google quickly fixed this particular security exploit after it was discovered. To rub salt into its wounds, the first security hole with the Google Desktop Search was also made public. It allowed third party websites to view the results of searches made on your local hard drive. Software developer Jim Ley, who maintains jibbering.com, announced the flaw on his weblog, but not many people took notice. Then, when he decided to email security@google.com to advise them direct, the email bounced right back. With no obvious telephone number to use, Jim decided to demonstrate a potential application of the bug: a phishing exploit that announced that Google was becoming a subscription service, and invited the victim to enter their credit card details. Despite this, there was still no response from Google. However, when he posted the vulnerability on the BugTraq mailing list (used by security experts and malicious hackers as an information source) in late October, the big G finally responded. Google was at a loss to explain why it didn't have a working email or phone contact for security alerts, but according to Jim, seemed anxious that he remove his phishing example. Alan Phillips, 7Safe Information Security |