Adam Fields (weblog)

This blog is largely deprecated, but is being preserved here for historical interest. Check out my index page at adamfields.com for more up to date info. My main trade is technology strategy, process/project management, and performance optimization consulting, with a focus on enterprise and open source CMS and related technologies. More information. I write periodic long pieces here, shorter stuff goes on twitter or app.net.

10/29/2004

Gmail security breach

Filed under: — adam @ 7:43 pm

There’s a Gmail exploit that allows an attacker to steal your Gmail cookie, which thereafter identifies them as you to the system, even if you change your password.

This seems like a huge problem for Google, above and beyond the actual security breach. Remember that Gmail uses the same unlimited lifetime Google cookie. The data in that cookie is, presumably, extremely valuable for their tracking efforts, and I’d guess that this will be difficult for them to fix in a way that maintains that.

http://net.nana.co.il/Article/?ArticleID=155025&sid=10


3 Responses to “Gmail security breach”

  1. Glenn Fajardo Says:

    I was concerned about this when I read about it. However it seems that Google has patched the problem:

    http://www.macworld.com/news/2004/11/01/gmail/index.php

  2. Guido Says:

    Fortunately, the security flaw seems to have been fixed by now:
    http://www.theregister.co.uk/2004/11/01/gmail_bug_fixed/

  3. adam Says:

    I’ve been corrected – the gmail authentication cookie is not the lifetime persistent Google cookie. However, I think this is a fairly serious issue and a good warning about the fragility of the security of web systems. Even though this exploit has been addressed since the announcement, it’s worth highlighting that any cookie that’s stored on disk is probably fairly easily stolen. I would NOT be surprised to see this be the target of a worm in the near future.

Powered by WordPress