Gmail’s Security Hole Allows Account Access Without A Password
An Israeli Hacker reported to the Israeli newsite Nana his finding of an exploit in Google’s Gmail. The exploit will allow prying eyes to see your acoount’s contents without authentication. And perhaps the worst part of this exploit is that a password isn’t needed, so if you change your password it will be for naught.
So you’ve got a Gmail mail account? Or maybe you’ve just received an invitation? Well, we have some bad news for you: Your mail box is exposed. A major security hole in Google’s mail service, allows full access to user accounts, without the need of a password.
“Everything could get publicly exposed – your received mails might be readable, as well as all of your sent mail, and furthermore – anyone could send and receive mail under your name”, thus reveals Nir Goldshlagger, an Israeli hacker, on an exclusive interview with Nana NetLife Magazine. “Even more alarming”, he explains, “is the fact that the hack itself is quite simple. All that is needed of the malicious hacker, beside knowledge of the specific technique, is quite basic computer knowledge, the victim’s username – and that’s it, he’s inside”.
When approached, Google admitted to the security flaw. Google also assured us that this matter is being resolved, and that “the company will go to any length to protect its users”.
The flaw which was discovered by Goldshlagger and was tested many times by Nana’s editorial board had shown an alarming success rate. In order not to further jeopardize mail boxes’ owners, we will only disclose that the process is based upon a security breach in the service’s identity authentication. It allows the hacker to “snatch” the victims cookie file (a file planted in the victim’s computer used to identify him) using a seemingly innocent link (which directs to Gmail’s site itself). Once stolen, this cookie file allows the hacker to identify himself as the victim, without the need of a password. Even if the victim does change his password afterwards, it will be to no avail. “The system authenticates the hacker as the victim, using the stolen cookie file. Thus no password is involved in the authentication process. The victim can change his password as many times as he pleases, and it still won’t stop the hacker from using his box”, explains Goldshlagger.
November 1st, 2004 at 6:30 pm
Do I note a wee bit of insecurity, lassie?
Yikes, Tony has announced that gmail is flawed….
February 20th, 2005 at 12:10 pm
This happened to me. They changed the password on my account so now i cant acces it. If anyone knows how to get the cookie can you email me and tell me. cause i think if i know how to do it i can get my account back. this is my other gmail account that i used for junk mail. Plz help ty