Print this article  |  E-mail this article  |  Comment on this article

Gmail Bug Exposes E-mails to Hackers

By Ed Oswald, BetaNews

January 12, 2005, 3:23 PM

UPDATE Google has squashed a bug discovered by UNIX developers HBX Networks within Gmail that allows access to other users' personal e-mails. By altering the "From" address field of an e-mail sent to the service, hackers could potentially find out a user's personal information, including passwords.

Quick to respond, Google acknowledged the problem late Wednesday and has since corrected the problem for all users, a company source said.

At first glance, to the average user the e-mail would appear normal. But by clicking "show options" within the Gmail interface, the "Reply-To" field will show HTML code that is actually a formatted version of another user's e-mail, HBX wrote on its Web site.

HBX said that they think a missing character is tripping up Gmail and causing it to print whatever is in its cache, or memory, into the Reply-To field. The group did say much of what they saw was spam. However, what troubled them was in at least one case they were able to see a user's password.

"Regardless of the specific failure, the result is a compromise of the privacy of communications over Gmail," the organization said. "Usually, this only permits an attacker to examine recently-arrived spam in random user's inboxes - but message content does occasionally become more interesting."

The group urged Gmail users to contact Google and demand the problem be fixed, and warned about using the service for personal communications.

Add a Comment (11 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By coode_al

edited Aug 6, 2005 - 4:19 PM

who can send me the windows mwdia player 10 inmy inbox

Score: 0

By cdibona

edited Jan 12, 2005 - 11:59 PM

We fixed this some time ago. See our reply to the slashdot article here: http://it.slashdot.org/a...amp;tid=217&tid=218

Chris DiBona
Open Source Program Manage, Google Inc.

Score: 0

By bourgeoisdude

posted Jan 13, 2005 - 12:12 PM

Good to know--this could've (and may still) hurt google's rep alot even though betas are just that--beta. Now if Gmail was a full version, I must admit this would have been a pretty big deal. I don't use Gmail yet, not until it gets out of beta. Perhaps this was a good reason why, though I'm sure it was fixed by google inc. asap.

Score: 0

By Slug_Coordinator

posted Jan 13, 2005 - 10:47 AM

Chris way to go!
B.Preece
Suncoast Linux Users Group

Score: 0

By jazzback

posted Jan 12, 2005 - 10:55 PM

I Thought Gmail is still in beta. This is what Beta is for. I still say do not use it as personal mail. I use gmail for spam and subscribe to news letters. and sign up for stuff.

Score: 0

By RaveN-FH-

edited Jan 12, 2005 - 5:29 PM

why the f*** don't they email google as opposed to releasing this information?

ffs ... you'd think the security group was headed up by yahoo and msn execs trying to knock google down a peg instead of helping the users.

Score: 0

By bourgeoisdude

posted Jan 13, 2005 - 12:09 PM

Secunia are also experts at releasing vulnerabilities to the public first...

Score: 0

By mynameisdougb

posted Jan 12, 2005 - 7:06 PM

Your right, its funny that they release it like it is some major thing, but in reality those of us who use gmail realize that it is still in beta testing, so it isn't like gmail is letting people use a buggy service, we have just chosen to test the service for bugs before the normal e-mail users get there hands on it.

If this security hole was found months from now when the service is made widely available to the public, then it would be a different story...

Score: 0

By Portal3

posted Jan 12, 2005 - 11:37 PM

It's not all that surprising to find a 'security group' going against the SMTP standards when sending emails and then to advise the public that what they can do is bad and someone should stop them before informing a company with the power to put a stop to it.

So, Gmails validation of the SMTP syntax had an error. So what? It's still in Beta.

HBX Networks must be trying to render Gmail's feedback system useless as they're telling thousands, if not millions, of users to send this same message. Should a Gmail user even report a bug that they can't even replicate? Or should HBX Networks inform us as to exactly how they compromised our privacy so that we may have a valid reason to inform Gmail over and over and over....
This may seem "Ok" as it's telling Google to fix this particular problem but what about other bugs that may be discovered? Filtering through all this HBX endorsed spam may slow down the rate of development.

Gmail-Beta is all about developing an efficient emailing system so why would a "security group" want to tell millions of people to slow down it's development?

Score: 0

By bourgeoisdude

posted Jan 12, 2005 - 4:08 PM

...that's quite a glitch--

Score: 0

By dbacher

posted Jan 19, 2005 - 6:12 PM

Passwords should never be sent by e-mail in the first place (and it annoys me that they so often are).

Here's the fact. Mail arrives and leaves gmail using a protocol called Simple Mail Transport Protocol, which was developed a very long time ago when the internet was a kinder, gentler place.

When you send an e-mail, first it goes to your ISP's mail server. The ISP's mail server spools it into a file, most commonly, and delivers it at some future point in time through a process called relaying.

The file is stored on disk in unencrypted form, most commonly under a common account. Anyone at the ISP can read the mail in the queue.

Once that is completed, the next thing that happens is that the file is sent, unencrypted, from a port on the mail server (whose address, under SPF, is conveniently recorded in the DNS record as being a mail server) to a known port on Google's e-mail server.

This exchange occurs using the same SMTP, an unencrypted protocol, travelling over on average at least 10 routers on internet, and whose path you have no control over. There is no end-to-end encryption, and so any of these routers that may have been compromised can see your message in plain text.

Google then stores this information in a database.

This attack was on the cache, and displayed the message, but only after a great many other people had been given the opportunity to review the data first.

You should never, ever send a password, credit card number or any other data you care about via e-mail. If you need something to be private, use PGP or GPG.

The thing about this bug is it displayed random data -- you couldn't control what random data. It might be passwords, or (most likely) it might be advertisements for Viagra and fake e-Mails from WAMU.

Any compromised router in the vicinity of google's system would be able to launch a directed attack against user's passwords and any other information sent in e-mail.

But users don't know any better

Score: 0

Nov 21 - 9:29 PM ET Hurd's the word in Ballmer's e-mail nightmares

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update