Security Information Vulnerability Research Security Blog

When fixing is not enough

December 28th, 2007 by , Filed under: Commentary, Google, Web

Howdy ho from Brazil, folks.

Remember that vulnerability in Gmail filter feature reported by Petko D. Petkov in September? Google fixed this vulnerability a few days after it was disclosed, but something was missing: end users should be noticed about that.
Early this week I was made aware of someone who was hit hard by this vuln months after it was fixed. David Airey’s domain was hijacked and this vulnerability helped on that.

But Google fixed that, what’s the problem? They should have noticed all users about that. New filters could not be injected anymore after the fix, but filters injected before the fix were still there. A simple “please check you filters” Web two-dot-oh notice would be enough, only if new filters were added in the days between the vuln was disclosed and the fix. End users don’t read the same blogs, lists and security resources that we read. Users are not supposed to know the nuts and bolts of the vulnerability, but they should know what manual actions should be taken.
I don’t know about you, but I thought about some solutions for that:

  1. Anything under settings should require password, in every change. I guess Yahoo! Mail works like that;
  2. Filters that forward messages should be handled in a different way, maybe under “Forwarding and POP/IMAP” tab.

Another simple mitigation action that people should use for any online service is something like a privilege separation (I don’t have a better name for that). Use different accounts for different purposes, have a master account and child accounts that forward every message to the master account.

If you are a moderator in a Yahoo! Group don’t use your main personal profile for group management, for example. Reducing the lifetime of the session to 15 minutes and log in only on trustworthy networks are other paranoid measures that could be considered. If there’s a targeted attack against your account probably your less critical account will be affected.
Do you have any insight about this Gmail vuln? Comment.
More info:

Share
  • http://www.sunbeltblog.com alex eckelberry

    I don’t get it —

    The hack was fixed back in September. And, the hack would have required David Airey to have visited an evil site while logged in to his gmail account. Finally, AFAIK that POC code wasn’t published until AFTER the hack was patched. So… it might actually have never even gotten out into the wild as exploit code…

    Do we all think that David Airey’s site was compromised because of this exploit? I’m not sure.

    What if it’s a different sploit that we don’t know about?

  • http://brainsniffer.blogspot.com/ ronaldo

    Maybe a different sploit, good point Alex.

    Taking another look at the timeline we can see yet another reference, another vulnerability with the same potential and 2 PoCs by Fernando Munoz (http://blog.beford.org/?p=3), 09/24.

    Okay, the time span between public PoCs and fix was about 3 days. I don’t know how valuable was David Airey’s domain because I never heard about him (3096 RSS feed subscribers mean something), but someone interested enough in stealing the domain (or for just plain fun) would have 3 days to make David follow an URL.

    Anyway, if that was the scenario the attacker took about 3 months to actually exploit the vulnerability (and Mr. Airey didn’t notice the new filter for 3 months too). It doesn’t make sense to me too.

    20 cents for your suggestion, another sploit. Or maybe just Google Account session hijacking, who knows.

  • Share







  • Categories


Security RSS Subscribe