New cracks in Google mail

Penetrated via a persistent backdoor
By Dan Goodin in San Francisco → More by this author
Published Wednesday 26th September 2007 01:23 GMT

Yesterday, we reported on an unholy trinity of Google vulnerabilities that put emails, private photos and website security at risk. Today came word of a new weakness that makes it easy for bad guys to silently put a backdoor in Gmail accounts.

The technique comes courtesy of Petko D. Petkov, a researcher at GNU Citizen, who writes in a blog post that the backdoor is installed simply by luring a victim to a specially crafted website while logged in to Gmail. The naughty site uses a sleight of hand known as a multipart/form-data POST, which writes a filter to Gmail that causes all email with attachments to be forwarded to collect@evil.com.

Petkov didn’t provide a proof of concept or detailed documentation, but Ryan Naraine of the Zero Day blog writes here that the exploit was demonstrated for him. The bug “is particularly nasty because of the way the exploit works without any user action and the fact that it’s difficult for the average Gmail user to know that emails are being stolen,” he writes.

Users aren’t likely to notice a filter has been added unless they think to check the “Filters” section of their Gmail Settings.

A Google spokesman said company bug hunters were looking into the report.

Petkov’s discovery is just the latest way people can be burned when entrusting their personal data to Google. Yesterday, various researchers showed how a vulnerability in the Google search appliance, which the company sells to webmasters, can be used to inject code and overwrite content on the pages of third-party sites. Another flaw made it possible to steal photos designated as private on the Picasa application.

Google also suffered from a vulnerability that resided in the so-called polls application, a part of Google Groups, that made it possible to steal contacts and messages from Gmail accounts. A Google spokesman on Monday afternoon said the flaw had been fixed. ®

Source:

http://www.theregister.co.uk/2007/09/26/gmail_backdoor_vulnerability/

Google Video, Notebook, Catalog Search, Jaiku, and Dodgeball to Shut Down

A number of Google services just announced that they are about to shut down. The Google Video team announced that it will shut down uploads in a few months, while the Google Notebook team announced that it is stopping development (the service will continue to function, however). According to Danny Sullivan, Google is also closing Jaiku, a Twitter-like micro-blogging service that was bought by Google before it even launched, but which has lingered in invite-only mode ever since. Google Catalog search, which made shopping catalogs searchable, will also be closed soon.

Google open sources RatProxy security tool, Web sniffer made available to all

 

Google has released the source code for its internal RatProxy security tool.

The software analyses web pages for potential security risks and reports back to the site administrator.

RatProxy can pick up cross-site scripting flaws and incomplete cross-site defence mechanisms, as well as potential data leak sources and risky code that retrieves data from outside domains.

Google hopes that developers will put the tool to use when coding new web-based services that rely on multiple sites and outside sources for data.

Michal Zalewski, a security engineer at Google, warned, however, that the tool should not be considered a substitute for a thorough analysis by a security professional.

“We feel it will be a valuable contribution to the information security community, helping to advance the understanding of security challenges associated with contemporary web technologies,” he said.

“We believe that responsible security research brings a net overall benefit to the safety of the web as a whole, and have released this tool explicitly to support that kind of research.”

Users can download RatProxy from the Google Code site. The tool works on Windows, Linux, FreeBSD and MacOS X operating systems.

More info:

http://sumptuousworld.blogspot.com/search/label/I.T%20News