http://www.computerworld.com/securitytopics/security/story/0,10801,98920,00.html By Matthew Broersma JANUARY 13, 2005 IDG NEWS SERVICE Google Inc. has fixed a bug in its Web-based e-mail service, Gmail, that allowed users to read the contents of other people's messages. HBX Networks, a Unix community group, discovered the bug while testing a Perl script intended to automate sending batches of newsletters. Messages sent to the group's own e-mail address contained HTML code in the "Reply To" field, and this code turned out to be the message body of other users' e-mail messages. The problem appears to be caused by a missing > character in the formatting of the "From" fields generated by the group's Perl script. "This, apparently, was enough to get GMail to provide us with some portion of someone else's messages," HBX members wrote in their analysis yesterday. They speculated that the missing character caused Google's application to read other data into this buffer -- a message that had been sent recently, for example. In at least one case, the intercepted e-mail contained username and password information, the group said. "Regardless of the specific failure, the result is a compromise of the privacy of communications over Gmail," the group wrote. "Message content and address information are easily -- if somewhat randomly -- available to unintended recipients." Google said the problem was fixed shortly after the HBX Networks report appeared. "At 10:15 a.m. PST mails with the problematic formatting as described in your previous story stopped being accepted into Gmail. Previous e-mails that had this problem will also no longer will be accessible. We appreciate your patience and we're sorry about the bug," Chris DiBona, Google's open-source program manager, said in an e-mail to the tech discussion site Slashdot. He urged users to report security bugs to security@private HBX expressed concern that other such bugs might exist. "The appearance of this issue, at the user level, probably indicates a failure in GMail's code review and/or quality assurance standards, which may result in other, similar errors," the group wrote. While it is technically still in beta testing, Gmail has become one of the most popular Web-based e-mail services since its launch in April and has begun to come under the same scrutiny as other Google services. Last month, for example, Google fixed a flaw with its desktop search that could have allowed hackers to search the contents of a PC. Security problems are nothing new to Web e-mail. Last March, shortly before Gmail's launch, IT security firm GreyMagic Software demonstrated that scripts could be run in Hotmail and Yahoo Inc.'s Web e-mail, bypassing scripting restrictions. Scripts embedded in e-mail messages could have been used to steal passwords or spread worms, researchers said. The problem has been fixed. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Fri Jan 14 2005 - 00:48:20 PST