Gmail Accounts Hacked – Unpatched Hole Exists

So says this morning’s edition of the Windows Secrets newsletter. Worse still, many who think they have security, do not.

Exploits allowing hackers to break into Gmail accounts are likely to occur, if they’re not already circulating, after security researchers released details of a hole that Google has reportedly declined to patch.
There are steps you can take to reduce the risk of using a webmail account, but it appears that the usual tricks won’t solve the Gmail problem until Google fixes the software.
The weakness that researchers say afflicts Gmail, a free e-mail service hosted by Google, belongs to a class of attacks known as cross-site request forgery (CSRF, pronounced “sea surf”).

further into the article -

The magazine quoted an unnamed Google spokesman as saying, “We’ve been aware of this report for some time, and we do not consider this case to be a significant vulnerability, since a successful exploit would require correctly guessing a user’s password within the period that the user is visiting a potential attacker’s site.”
Considering that an automated attack can test thousands of passwords in a matter of seconds, you might not be very reassured by Google’s position. Many PC users select weak passwords that consist of common names or dictionary words, leaving them susceptible to brute-force discovery. And the general release of the CSRF technique makes it easy for hackers to write opportunistic code, if actual exploits aren’t already in the wild.
The March 3 public disclosure should not be confused with an earlier Gmail CSRF flaw that was first reported on Jan. 1, 2007. Google repaired that problem by the following day, according to a blog post by software consultant Hari Gottipati.
CSRF attacks — which are also referred to as session-riding — are different from the more-widely known cross-site scripting (XSS) exploits. XSS holes allow a malicious Web site that’s open in one browser window to inject JavaScript into another site’s page that’s open in a separate window or tab. Once the unwanted script is running on a PC, the code can try to collect private data and passwords and transmit them back to the attacker’s server.
XSS vulnerabilities have recently been discovered and patched in many browsers and on many sites, including Yahoo Mail and Hotmail as well as Gmail.

then the big news -

Some reports on the Web, such as an article at Softpedia.com, say using https during your Gmail sessions blocks CSRF attacks on the service.
Unfortunately, that’s not the case for this Gmail hole, according to ISA’s Aguilera. In an e-mail interview conducted in Aguilera’s native Spanish, he said the flaw allows a hacker to take advantage of an encrypted session (the following is my translation from the original language):

• “In this vulnerability, the attacker causes the victim to generate, invisible to the victim, a request to the server (in which request the victim’s authenticated session cookie is also transmitted).
• “When the server receives the request, it sees that it comes from an authenticated session (the victim’s), and thus is unable detect that, in reality, the request was instigated by the attacker.
• “In other words, it’s as if the victim/user actually created the request to the server, and the fact that the communication is encrypted is unrelated and doesn’t prevent the attack.”
• Using https does prevent traffic sniffing and so-called man-in-the-middle attacks, so you should enable it regardless of whether Gmail’s CSRF hole is ever patched.

and the prescription for now -

To benefit from encryption when accessing Gmail, you should configure the service to use SSL by default. To do so, click Settings in the top-right corner of the main Gmail window, select Always use https in the “Browser connection” section at the bottom of the General tab, and click Save Changes.
Using encryption will slow Gmail’s performance slightly, but this small price is worth it. The https protocol will encrypt not just your sign-in sessions but also the contents of your e-mails when they’re sent between your browser and Google’s servers.

also, news that comes from the past – or so it would seem…

Sadly, Yahoo Mail and Hotmail don’t provide a similar Always use https setting. But you can protect these two services’ data, and also defeat Gmail’s CSRF hole, by using a PC-based e-mail reader and retrieving your messages via the long-established POP3 or IMAP protocols.

So, something that many thought was dead, the trusty POP3 or IMAP mailer, comes to the rescue, and shows that older technology is not bad, just because it’s old.

When you use a PC-based client like Mozilla Thunderbird to read and send webmail, SSL encryption can prevent eavesdropping. Using IMAP or POP3 also gives you the option to delete sensitive messages that would otherwise remain on the remote server. (I rated Thunderbird and other free e-mail clients in a July 31, 2008, comparative review.)
IMAP and POP3 are supported by the free versions of both Gmail and Hotmail. Yahoo supports POP3, but only in the paid version of Yahoo Mail (U.S. $20 per year).
For instructions on using a PC-based client to retrieve messages from a webmail service, using Hotmail as an example, there’s a step-by-step article on the subject at About.com.

The articles at about.com are very helpful, and will help with any-mail client I can think of, that is in use on the Windows platform. Last time I looked there was also complete instruction for Pegasus, which is a nice mailer, though development has stopped.

Using https when signing in — and encryption when processing your webmail — makes it less likely your password or other personal information will be sniffed. This makes your webmail safer, no matter how long it may take before Google fixes the CSRF hole that has security researchers in a huff.

So the bad guys have a leg up right now, if you’re not careful. What’s so new about that? Using a little caution can put you in the place of control once again. Who knows, you might like going back to an e-mail program. I like many things about having it on my drive, and I never stopped. As soon as GMail made POP3 available, I immediately configured for it. Perhaps a few of the other free web mail systems (can you hear me, Lycos?) will allow POP3 for free, as a security option. Otherwise, there is always someone new, wanting to get some ad revenue, offering free e-mail in return (GMX!)

§

whitespace

whitespace

includes a great mail program, easy to set up, free, compact!

•