Gmail Exploit: Discovered By 14 Years Old Boy

[marretas 0]

Anthony show in a blog his gmail discovered exploit. He said that he tried to send an Javascript messages to his own gmail mailbox and he discovered that that small code was really executed. This kind of failures allows any person to steal data, mail address, informations etc. Althougt gmail already correct this exploit.

Anthony's Blog

Cheers []

Edited March 4, 2006 by miCRoSCoPiC^eaRthLinG (see edit history)

[Sarah81 0]

Who's really and truly surprised that a teenager found this? I'm not. Teens are always into something. Fortunately, a lot of them - the ones we don't hear about in the news or talk about - are into something that's actually productive ... or at least not destructive. Like this kid's interesting discovery.As for Google: I don't suppose we should expect perfection from them, but it would be nice to know that the e-mail accounts are at least reasonably secure.

[nightfox1405241487 0]

Who's really and truly surprised that a teenager found this?
I'm not. Teens are always into something. Fortunately, a lot of them - the ones we don't hear about in the news or talk about - are into something that's actually productive ... or at least not destructive. Like this kid's interesting discovery.
As for Google: I don't suppose we should expect perfection from them, but it would be nice to know that the e-mail accounts are at least reasonably secure.

Just the other day, my friend must have found this because he also sent me some test emails like that. But the surprising thing was, he tried it again a few minutes later and it didn't work!

Shows you how fast Google is at fixing things!

[N]F

[CaptainRon 0]

Just the other day, my friend must have found this because he also sent me some test emails like that. But the surprising thing was, he tried it again a few minutes later and it didn't work!
Shows you how fast Google is at fixing things!

[N]F

well i dont understand why people are so obsessed with Google and try to be protective for it...
Google had a flaw in something as basic as a web-based email, that is bad. Instead of accepting it people give excuses or try to defend google. If that same thing Microsoft had done, i am sure tens of others would have written dozens of posts condemning the company.

If there is a company or organisation that i can forgive for making mistakes is the Open Source, since they are already social workers in the first place! Whereas neither Microsoft nor Google work for free. Both suck money.

[Sarah81 0]

If there is a company or organisation that i can forgive for making mistakes is the Open Source, since they are already social workers in the first place! Whereas neither Microsoft nor Google work for free. Both suck money.

I think that most of us cut Google a lot of slack because we, the users, don't pay them for the things that we use (e-mail, Web space, et cetera). Typically, at least for me, I can just say, "Well, it's free, so I can't complain" when something goes wrong.

Besides: Google fixed the coding problem very quickly, which leads me to believe that they're not trying to screw us over even if we *aren't* paying customers.

[grnjd 0]

Good for anthony, this shows how young people, like me can change the world.

[Shadow X 0]

Just the other day, my friend must have found this because he also sent me some test emails like that. But the surprising thing was, he tried it again a few minutes later and it didn't work!
Shows you how fast Google is at fixing things! tongue.gif

[N]F

True nightfox, but these things shouldn't be happening at all. Google is a very experienced and dependable Search Engine for people all over the world. If things like this start to happen with their e-mailing system then people will not trust Google anymore ... even with their popular Search Engine. But I agree, it is good to see that Google at least knows what's happening and you know how it is nowadays ... people are always protective of their information.

Who's really and truly surprised that a teenager found this?
I'm not. Teens are always into something. Fortunately, a lot of them - the ones we don't hear about in the news or talk about - are into something that's actually productive ... or at least not destructive. Like this kid's interesting discovery.

True. These are the "Kids of the future", they are always on the look out for suspicious things and will do anything to alert the authorities. In this case, the teenager was smart to post this news publically. At least someone from Google managed to pick this news up!
Edited March 6, 2006 by Shadow X (see edit history)

[jake658879 0]

actually, gmail does have a lot of flaws, mainly security issues. I'm not sure if this information is completely accurate because i got it from a third party scource or wutever its called but here it is.

 

Google offers more storage for your email than other Internet service providers that we know about. The powerful searching encourages account holders to never delete anything. It's easier to just leave it in the inbox and let the powerful searching keep track of it. Google admits that deleted messages will remain on their system, and may be accessible internally at Google, for an indefinite period of time.

 

A new California law, the Online Privacy Protection Act, went into effect on July 1, 2004. Google changed their main privacy policy that same day because the previous version sidestepped important issues and might have been illegal. For the first time in Google's history, the language in their new policy made it clear that they will be pooling all the information they collect on you from all of their various services. Moreover, they may keep this information indefinitely, and give this information to whomever they wish. All that's required is for Google to "have a good faith belief that access, preservation or disclosure of such information is reasonably necessary to protect the rights, property or safety of Google, its users or the public." Google, you may recall, already believes that as a corporation they are utterly incapable of bad faith. Their corporate motto is "Don't be evil," and they even made sure that the Securities and Exchange Commission got this message in Google's IPO filing.

 

Google's policies are essentially no different than the policies of Microsoft, Yahoo, Alexa and Amazon. However, these others have been spelling out their nasty policies in detail for years now. By way of contrast, we've had email from indignant Google fans who defended Google by using the old privacy language â but while doing so they arrived at exactly the wrong interpretation of Google's actual position! Now those emails will stop, because Google's position is clear at last. It's amazing how a vague privacy policy, a minimalist browser interface, and an unconventional corporate culture have convinced so many that Google is different on issues that matter.

 

After 180 days in the U.S., email messages lose their status as a protected communication under the Electronic Communications Privacy Act, and become just another database record. This means that a subpoena instead of a warrant is all that's needed to force Google to produce a copy. Other countries may even lack this basic protection, and Google's databases are distributed all over the world. Since the Patriot Act was passed, it's unclear whether this ECPA protection is worth much anymore in the U.S., or whether it even applies to email that originates from non-citizens in other countries.

 

Google's relationships with government officials in all of the dozens of countries where they operate are a mystery, because Google never makes any statements about this. But here's a clue: Google uses the term "governmental request" three times on their terms-of-use page and once on their privacy page. Google's language means that all Gmail account holders have consented to allow Google to show any and all email in their Gmail accounts to any official from any government whatsoever, even when the request is informal or extralegal, at Google's sole discretion. Why should we send email to Gmail accounts under such draconian conditions?

 

 

Problem 2: Google's policies do not apply

 

The phrasing and qualifiers in the Gmail privacy policy are creepy enough, but nothing in any of Google's policies or public statements applies to those of us who don't have Gmail accounts. Google has not even formally stated in their privacy policy that they will not keep a list of keywords scanned from incoming email, and associate these with the incoming email address in their database. They've said that their advertisers won't get personally identifiable information from email, but that doesn't mean that Google won't keep this information for possible future use. Google has never been known to delete any of the data they've collected, since day one. For example, their cookie with the unique ID in it, which expires in 2038, has been tracking all of the search terms you've ever used while searching their main index.

 

Matt Cutts, a software engineer at Google since January 2000, used to work for the National Security Agency.

 

Keyhole, the satellite imaging company that Google acquired in October 2004, was funded by the CIA.

 

"We are moving to a Google that knows more about you." â Google CEO Eric Schmidt, February 9, 2005

 

 

Problem 3: A massive potential for abuse

 

If Google builds a database of keywords associated with email addresses, the potential for abuse is staggering. Google could grow a database that spits out the email addresses of those who used those keywords. How about words such as "box cutters" in the same email as "airline schedules"? Can you think of anyone who might be interested in obtaining a list of email addresses for that particular combination? Or how about "mp3" with "download"? Since the RIAA has sent subpoenas to Internet service providers and universities in an effort to identify copyright abusers, why should we expect Gmail to be off-limits?

 

Intelligence agencies would love to play with this information. Diagrams that show social networks of people who are inclined toward certain thoughts could be generated. This is one form of "data mining," which is very lucrative now for high-tech firms, such as Google, that contract with federal agencies. Email addresses tied to keywords would be perfect for this. The fact that Google offers so much storage turns Gmail into something that is uniquely dangerous and creepy.

 

 

Problem 4: Inappropriate ad matching

 

We don't use Gmail, but it is safe to assume that the ad matching is no better in Gmail, than it is in news articles that use contextual ad feeds from Google. Here's a screen shot that shows an inappropriate placement of Google ads in a news article. We also read about a lawyer who is experimenting with Gmail. He sent himself a message, and discovered that the law practice footer he uses at the bottom of all of his email triggered an ad for a competing law firm.

 

Another example is seen in the Google ads at the bottom of this story about Brandon Mayfield. There are two ads. One mentions sexual assault charges (sex has nothing to do with the story), and the other is about anti-terrorism. The entire point of this article, as well as a New York Times piece on May 8, 2004, is that a lawyer has had his career ruined due to overreaction by the FBI, based on disputed evidence. He was arrested as a material witness and his home and office were searched. The NYT (page A12) says that "Mr. Mayfield was arrested before investigators had fully examined his phone records, before they knew if he had ever met with any of the bombing suspects, before they knew if he had ever traveled to Spain or elsewhere overseas. His relatives said he had not been out of the United States for 10 years." The only evidence is a single fingerprint on a plastic bag, and some FBI officials have raised questions about whether this print is a match. While Mr. Mayfield will get his day in court, it appears that Google's ads have already convicted him, and for good measure added some bogus sexual assault charges as well. Would Mr. Mayfield be well-advised to send email to Gmail account holders to plead his case?

 

The Wichita Eagle is pleased to present Google's recommendation for an alarm company that can "protect your home and family." One tiny problem is that the trigger for this ad is an article about an alarm installer who worked for this company for 14 years, while moonlighting as a serial killer.

 

Our last example shows three ads fed by Google at the bottom of a Washington Post column titled "Gmail leads way in making ads relevant." The columnist argues that Google's relevant ads improve the web, and therefore she finds nothing objectionable about Gmail. These Google-approved ads offer PageRank for sale, something which only a year ago, Google would have considered high treason. Yes, these ads are "relevant" â the column is about Google, and the ads are about PageRank. But here's the point: A relevant ad that shows poor judgment is much worse than an irrelevant ad that shows poor judgment. The ads at the bottom of her column disprove her pro-Google arguments. She has no control over this, and is probably not even aware that it happened.

 

Most writers, even if they are only writing an email message instead of a column in a major newspaper, have more respect for their words than Google does. Don't expect these writers to answer their Gmail.

 

Esther Dyson, queen of the digerati, gets it wrong

 

"We're not going to have any choice but to send mail to people at Gmail just to function in the e-mail world," says Daniel Brandt, founder of the Google-Watch.org Web site. "And what guarantees do we have that all this won't end up on some bureaucrat's desk at some intelligence agency someday?" But those who support Gmail say such privacy concerns are not Google issues so much as constitutional ones, best addressed to Congress and law-enforcement agencies. "They've got a beef with the wrong person. The problem there is the FBI, not Google," says Dyson. "And in the scheme of things, I'd rather have Google than my employer have access to my personal mail." â Baltimore Sun, 20 May 2004

 

The point is this: Some two-thirds of all Google searches come in from outside the U.S., and Gmail will also have a global reach. We're not dealing with only the FBI (and yes, the same privacy advocates who oppose Gmail are dealing with the FBI), but potentially with hundreds of agencies in dozens of countries. Google has no data retention policies, and never comments on their relationships with governments. The problem must be addressed at the source, which is Google. Elitist digerati do a disservice to the entire world when they assume such narrow points of view.

 

Privacy: Not enough, and too much!

 

While there's no privacy for non-Gmail users who receive mail from a Gmail account and might want to reply, there is too much privacy for those who use Gmail to send spammy, abusive, or threatening messages. Unlike Hotmail, Yahoo mail, and most other web mail services, browser-based Gmail does not show the originating IP address in the header. This means that system administrators who are trying to stop abuse cannot identify a Gmail abuser without asking Google for assistance. And normal users, assuming they can read headers, cannot check the identity of someone sending from Gmail. (With an IP address, you can at least do a quick check on the country or city of origin by looking it up at dnsstuff.com or some similiar service.) Since Google always seems to be too busy making billions to bother with complaints, many decide it's easier to just say "no" to all Gmail.

scource: http://www.gmail-is-too-creepy.com/

 

 

also see http://forums.xisto.com/no_longer_exists/ for the huge issues about privacy.

 

So yeah, it doesn't suprise me at all tht a 14 year old kid could find tht flaw. Gmail is very good but they still have issues to work out. They need to change the privacy policy big time and up security. So if u have gmail, i suggest not storing any important documents on it.

 

Notice from moonwitch:

Please use quote tags, it cost you 38 credits - automated credit deduction script.

Edited March 9, 2006 by moonwitch (see edit history)

[xboxrulz1405241485 0]

wow, never knew GMail could be vulnerable.xboxrulz

[CaptainRon 0]

wow, never knew GMail could be vulnerable.
xboxrulz

you dont expect google people to be God.

I bet Google will soon turn evil in the public eye, the moment they start monopolyzing the internet world!

[nightfox1405241487 0]

well i dont understand why people are so obsessed with Google and try to be protective for it...

 

Because Google isn't interested in money like Micro$oft is. Google is a great company and they excel above others in the same industry... Yahoo for example.

Google had a flaw in something as basic as a web-based email, that is bad.

 

Gmail isn't basic. If it was basic, then someone else would have already created it. Google has rocket scientists and neurosurgeons working for them so I think great care was put into designing the Gmail service. This was just one little security flaw that got overlooked somehow. One security flaw is better than 100.

If that same thing Microsoft had done, i am sure tens of others would have written dozens of posts condemning the company.

 

M$ is already hated because of the terrible job of security on Window$. M$ is more intrested in a GUI than system security so lots of people have posts against the company. I switched over to Linux for this reason, but since not all of my favorite software works in Linux, I'm stuck using both for a long time...

Both suck money.

 

M$ wants all the money it can get. Google could actually care less about money. Mr. Page and Mr. Brin started the company as a search engine. The ads were only to keep it running because there are bills to pay. That's how Google operates to this day.

 

[N]F

[cherri 0]

well good they fixed that, but I don't know what made them make the mistake in the first place, it is one of the worst mistakes you could make

[nitrus 0]

"M$ wants all the money it can get. Google could actually care less about money."

Well I believe thats somewhat true, but google needs money. They dont charge for everything like microsoft but for instance, they charge big time for decent advertising among other things.

"True. These are the "Kids of the future", they are always on the look out for suspicious things and will do anything to alert the authorities. In this case, the teenager was smart to post this news publically. At least someone from Google managed to pick this news up!"

lol I don't believe he was looking for an exploit.....it just happened...and it seemed like it was pretty obvious....if he had any visual indication that the code output, he would see it right in front of him (ie he wouldn't have had to have been looking for anything). Thats the only reason that this case isnt very special. It can happen to anyone, could happen to a 10 year old if they tried it. It would be a lot harder for a 14 year old looking for exploits to find them. And to be completely honest this is such a simple problem to spot, I cant believe it wasn't found out before =p (but then again I don't know that many people that try and send direct javascript code through email lol)

"M$ is already hated because of the terrible job of security on Window$. M$ is more intrested in a GUI than system security so lots of people have posts against the company.

I switched over to Linux for this reason, but since not all of my favorite software works in Linux, I'm stuck using both for a long time..."My friend told me he found an os called "linspire" thats like windows and linux..i don't know anything about it, but it might be worth it to check out =]
BTW no offense is intended if anyone takes any, i just got off a political debate forum and im a little stirred up =]
~Adio

[Logan Deathbringer 0]

Ok so google is keeping information on its users, I'll admit a bit creepy but honestly how do you expect them to be able to give good search results without collecting information and then using it to do massive cross referencing to be able to get more accurate results. As for the information that they get from the emails that are on their server...um reality check...do you honestly beleive that they are the only ones that are doing that?Any email server has the right to do with the information on their server pretty much as they wish. From what I've read on the web at different points, the asumption of privacy on public email servers is not really backed up by law. If you want a private email server then pay for it or run it yourself.Personally I don't put anything into an email that I honestly don't want the general public knowing about. As for privacy in email...I hope you don't send anything you don't want your employer know about from work or visit sites you don't want your employer knowing you are visiting on work time because any information sent across their network is theirs to view/record/archeive as they see fit.The same premous protects google, its their network and all information on it is theirs to do with as they see fit.

[Dagoth Nereviar 0]

Google had a flaw in something as basic as a web-based email, that is bad. Instead of accepting it people give excuses or try to defend google. If that same thing Microsoft had done, i am sure tens of others would have written dozens of posts condemning the company.

I have to side-track here and agree with Captain Ron.

When Microsoft do something bad, they make it like they've just destroyed the world, but when Apple, Sony, whoever they may compete with, do it, then they all defend them and laugh in good taste...


Sorry to go off topic...