'High impact' Gmail password security hole blew accounts wide open Google has fixed a "high impact" security bug in Gmail's password reset system that could have left any account wide open to a crafty hijacker. The flaw, spotted by security researcher Oren Hafif, was exploited by sending a spoofed email that reminds the Gmail user that it's time to reset their password. Clicking on the link …
A typical "phishing" attempt, just expects to get the username and password from a user by mirroring the look of the site - this particular hack was doing this but also subverting all of Google's other failsafes (2-step etc) by also fooling Google's backend servers into giving it a login cookie, when it really should not have been giving one hence the bug - perhaps by also mirroring Google's request for this login cookie in a way that succesfully fooled their systems......security isn't my day job (although I.T. certainly is!), but it was more than your typical "phishing" attempt, but as others have noted, it still would have required somebody to actually click the link in the initial e-mail......
Losing control of your e-mail account (especially your Google account), for me, means almost losing my current identity, I am looking for ways to shift that control back to myself, by perhaps having my own linux mail server and then using this address instead of Google's, meaning, I can choose what information I might want to send to Google (for the convenience and use of their excellent software.....), and all e-mails initially arrive at an address other than the one I publicise.
Of course this then leaves my servers open to the WWW and I then have to secure this myself......
Unless the user was so stupid as to not have opted into 2-step verification after how many hundreds of warnings and reminders by Google?
These are the same people who think that 2-step verification is too much trouble on their banking website.
What did the comedian Ron White say? "You can't fix stupid".
Well, in the US it is pointless. Maybe you Brits have real 2 step verification, but at least as implemented in the US, a man-in-the-middle attack subverts it. First I login with my 4 digit PIN, then it put up a screen and asks for my password. Which as far as I'm concerned is just a disjointed long password. If you've clicked on the phishing link and I've popped up the fake screen, I just run a separate session to send the info to the bank. When the bank show your private picture and word phrase, I pass them to you. I can see where I login and it sends a code to my phone or email account that I then have to type in to complete the transaction would work, but not the crap they call 2 factor over here.
Wow. There's something that couldn't be applied to lots of other companies like Facebook- oh, wait.
Companies use the information you give them, to think otherwise is naive. At least Google (unlike the NSA and others that do metadata/keyword work) is giving you something for sharing your data, which is to help you organize it, spit back some of the results of its data mining by presenting things of interest to you (maps, weather, sports, local events, search).
They pay for it by providing companies with a funnel that they can dump their ads into, and have them show up for people that are likely to want to buy them. Companies are not paying to unmask you. They are paying to get their ads shown to those that are most likely to respond to them by buying, thus giving those companies money for their investment.
This post has been deleted by its author
Now THAT has to be an industry-wide record.
Not bashing Google - on the contrary, someone flagged a serious problem, Google assigned it a high priority and IT GOT DONE. Then the useful researcher got his due.
Which is the way it should be.
Unfortunately, many other companies should take note of this (eh, Yahoo! ?).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
