Welcome to WebmasterWorld Guest from 54.159.50.111

Forum Moderators: open

Message Too Old, No Replies

Major Froogle/Google/Groups/Gmail Security Bug found

     
4:34 pm on Jan 14, 2005 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
posts:38048
votes: 12


If you can read Hebrew, you can read the details here:

[ynet.co.il...]

If you can't, you can read the interp report here:

[aviransplace.com...]

By embedding JavaScript in a URL pointing to Froogle, a hacker can gain access to the userís Gmail account. The JavaScript redirects the browser to a malicious web site, where the hacker can read the userís cookie, which contains personal information, such as purchase history, user name and password for Google services.

This, the same day that they fixed another Gmail bug:
[computerworld.com...]

6:18 pm on Jan 14, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member powdork is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Sept 13, 2002
posts:3346
votes: 0


Is there any way folks could get hold of adsense or adwords passwords this way?
7:22 pm on Jan 14, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Sept 11, 2002
posts:293
votes: 0


Hey Brett,
As an FYI - that page in Hebrew is just a login page, not the actual article. That newspaper changed their site to subscription based a few years ago.

Alon

7:31 am on Jan 15, 2005 (gmt 0)

New User

10+ Year Member

joined:May 27, 2004
posts:15
votes: 0


The ynet article also states that this kind of flaw, although not trivial to perform, is present in many major sites, and that users should be aware of any comparison sites using URL referrals with your proprietary user ID or account ID stringed to it.

Ron

7:45 am on Jan 15, 2005 (gmt 0)

Preferred Member

10+ Year Member

joined:Oct 30, 2003
posts:359
votes: 0


[slashdot.org...]

Has been fixed.

7:59 am on Jan 15, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member powdork is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Sept 13, 2002
posts:3346
votes: 0


Has been fixed.
Did you read all of Brett's initial post?
10:15 am on Jan 15, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:May 5, 2004
posts:59
votes: 0


Well actually Ynet is still free for Israeli users, however, worldwide IPs has to subscribe. Just confirmed that with a proxy server.

Eyal

2:25 am on Jan 20, 2005 (gmt 0)

Junior Member

10+ Year Member

joined:Mar 2, 2004
posts:125
votes: 0


Why on earth is this reported in Hebrew - only Jews can read Hebrew
2:32 am on Jan 20, 2005 (gmt 0)

Senior Member

joined:Dec 29, 2003
posts:5428
votes: 0


"Why on earth is this reported in Hebrew - only Jews can read Hebrew"

That's the language they write on their site. Anyone really interested (like Google) will find a Jew to translate it.

2:53 am on Jan 20, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 12, 2002
posts:1482
votes: 0


...only Jews can read Hebrew

Jews aren't the only people that can read Hebrew.

2:59 am on Jan 20, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 22, 2002
posts:681
votes: 0


And some Jews (okay, LOTS of us) can't read Hebrew. But anyway, lots of high tech people are Israeli, so it stands to reason that some breaking stories will come out of Israel, and they won't be packaged all nice and tidy for Americans.
3:29 am on Jan 20, 2005 (gmt 0)

Full Member

10+ Year Member

joined:Sept 11, 2002
posts:293
votes: 0


For those complaining that they can't read Hebrew, remember...there are Jews/Israelis that cannot read English. So for them the only way to post/read this information is in Hebrew.
5:22 pm on Jan 20, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
posts:7999
votes: 0


Edit: wrong thread, apologies all, been working too hard and late. :-)

[edited by: rocknbil at 5:49 pm (utc) on Jan. 20, 2005]

5:34 pm on Jan 20, 2005 (gmt 0)

Senior Member

joined:Dec 29, 2003
posts:5428
votes: 0


I posted this of Foo yesterday. [webmasterworld.com...]

"It wasn't yesterday, in fact this worm may have been around for months and it's just not being recognized by virus software. It apparently can even operate users' connected webcams - the perpetrator was arrested while spying on several remote comps this way. If true, this is big."

7:06 pm on Jan 20, 2005 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 4, 2004
posts:801
votes: 0


And here's the kicker, apparently although the bug has been fixed, all compromised accounts, even if the user changes their password, are still open to the crackers.

Now imagine that scenario when the next desktop search hole is found and you'll start understanding why desktop search is possibly one of the very worst ideas ever to come up, about as bad as linking IE to the guts of Windows through active x etc. Some ideas are just intrinsically bad.