When fixing is not enough
Howdy ho from Brazil, folks.
Remember that vulnerability in Gmail filter feature reported by Petko D. Petkov in September? Google fixed this vulnerability a few days after it was disclosed, but something was missing: end users should be noticed about that.
Early this week I was made aware of someone who was hit hard by this vuln months after it was fixed. David Airey’s domain was hijacked and this vulnerability helped on that.
But Google fixed that, what’s the problem? They should have noticed all users about that. New filters could not be injected anymore after the fix, but filters injected before the fix were still there. A simple “please check you filters” Web two-dot-oh notice would be enough, only if new filters were added in the days between the vuln was disclosed and the fix. End users don’t read the same blogs, lists and security resources that we read. Users are not supposed to know the nuts and bolts of the vulnerability, but they should know what manual actions should be taken.
I don’t know about you, but I thought about some solutions for that:
- Anything under settings should require password, in every change. I guess Yahoo! Mail works like that;
- Filters that forward messages should be handled in a different way, maybe under “Forwarding and POP/IMAP” tab.
Another simple mitigation action that people should use for any online service is something like a privilege separation (I don’t have a better name for that). Use different accounts for different purposes, have a master account and child accounts that forward every message to the master account.
If you are a moderator in a Yahoo! Group don’t use your main personal profile for group management, for example. Reducing the lifetime of the session to 15 minutes and log in only on trustworthy networks are other paranoid measures that could be considered. If there’s a targeted attack against your account probably your less critical account will be affected.
Do you have any insight about this Gmail vuln? Comment.