We fixed this some time ago. See our reply to the slashdot article here: http://it.slashdot.org/a...amp;tid=217&tid=218

Chris DiBona
Open Source Program Manage, Google Inc.

Chris way to go!
B.Preece
Suncoast Linux Users Group

Good to know--this could've (and may still) hurt google's rep alot even though betas are just that--beta. Now if Gmail was a full version, I must admit this would have been a pretty big deal. I don't use Gmail yet, not until it gets out of beta. Perhaps this was a good reason why, though I'm sure it was fixed by google inc. asap.

I Thought Gmail is still in beta. This is what Beta is for. I still say do not use it as personal mail. I use gmail for spam and subscribe to news letters. and sign up for stuff.

why the f*** don't they email google as opposed to releasing this information?

ffs ... you'd think the security group was headed up by yahoo and msn execs trying to knock google down a peg instead of helping the users.

Your right, its funny that they release it like it is some major thing, but in reality those of us who use gmail realize that it is still in beta testing, so it isn't like gmail is letting people use a buggy service, we have just chosen to test the service for bugs before the normal e-mail users get there hands on it.

If this security hole was found months from now when the service is made widely available to the public, then it would be a different story...

It's not all that surprising to find a 'security group' going against the SMTP standards when sending emails and then to advise the public that what they can do is bad and someone should stop them before informing a company with the power to put a stop to it.

So, Gmails validation of the SMTP syntax had an error. So what? It's still in Beta.

HBX Networks must be trying to render Gmail's feedback system useless as they're telling thousands, if not millions, of users to send this same message. Should a Gmail user even report a bug that they can't even replicate? Or should HBX Networks inform us as to exactly how they compromised our privacy so that we may have a valid reason to inform Gmail over and over and over....
This may seem "Ok" as it's telling Google to fix this particular problem but what about other bugs that may be discovered? Filtering through all this HBX endorsed spam may slow down the rate of development.

Gmail-Beta is all about developing an efficient emailing system so why would a "security group" want to tell millions of people to slow down it's development?

Secunia are also experts at releasing vulnerabilities to the public first...

...that's quite a glitch--

Passwords should never be sent by e-mail in the first place (and it annoys me that they so often are).

Here's the fact. Mail arrives and leaves gmail using a protocol called Simple Mail Transport Protocol, which was developed a very long time ago when the internet was a kinder, gentler place.

When you send an e-mail, first it goes to your ISP's mail server. The ISP's mail server spools it into a file, most commonly, and delivers it at some future point in time through a process called relaying.

The file is stored on disk in unencrypted form, most commonly under a common account. Anyone at the ISP can read the mail in the queue.

Once that is completed, the next thing that happens is that the file is sent, unencrypted, from a port on the mail server (whose address, under SPF, is conveniently recorded in the DNS record as being a mail server) to a known port on Google's e-mail server.

This exchange occurs using the same SMTP, an unencrypted protocol, travelling over on average at least 10 routers on internet, and whose path you have no control over. There is no end-to-end encryption, and so any of these routers that may have been compromised can see your message in plain text.

Google then stores this information in a database.

This attack was on the cache, and displayed the message, but only after a great many other people had been given the opportunity to review the data first.

You should never, ever send a password, credit card number or any other data you care about via e-mail. If you need something to be private, use PGP or GPG.

The thing about this bug is it displayed random data -- you couldn't control what random data. It might be passwords, or (most likely) it might be advertisements for Viagra and fake e-Mails from WAMU.

Any compromised router in the vicinity of google's system would be able to launch a directed attack against user's passwords and any other information sent in e-mail.

But users don't know any better