Tag Archives: GMail

Facebook goes fbmail

Posted on by
Reply

As everyone already figured out, Facebook is launching their own webmail service.
Haven’t tried it yet but the funny part is that I made some comments in discussions around the rumoured “Google Me” that what Google need is a decent dashboard/homepage, iGoogle just isn’t enough. I compared it to FB. Different services, one entrypoint. That’s what Facebook is good at, and Google simply isn’t.

Google obviously didn’t listen to me and I still use my different Google services very much separated from each other. Sure, I can connect everything with Buzz and that’s a small step in the right direction. Now facebook are taking a huge stab at one of Google’s user driving services. Where that will end up…I still have troubles seeing FB creating a better mailservice than Google given what they achieved so far but who knows?

For me its simple, no matter how big and powerful Google are/get, I still prefer trusting them with my data over Facebook any day. Trackrecords mean a lot and FB doesn’t have a cute one. We’ll see if I changed my mind in a year or so!

Share

>Vulnerability in Gmail

Posted on by
Reply

>

Security experts have revealed a vulnerability in Googles mail service, Gmail.
This is not my area of expertise so if I make any mistakes they are mine and not the original authors.

The reason for publishing the details is according to the author that Google was informed of the risk in August 2007 and they have decided not to take any action.
The vulnerability lies in the “Change password” function, and the problem is that the authorization for changing password is stored in a session cookie and could be collected by other sites. This is called “Cross-Site Request Forgery” or CSRF (and this is fun, you read this as Sea-Surf).

A website with this malicious code could under the right circumstances (i.e. the visitor has logged in to Gmail during the same session, and stay on the “evil” website during the whole procedure) use the cookie to change the password for the visitor.
Even worse in my opinion, they can by trying to change to a simple password (that Gmail won’t accept) confirm that the password analysis is correct. That way an attacker could get access to your Gmail account without you knowing it. The difference to if they would change your password is that you would of course notice it when not being able to log in.

Google have no records of any use of this vulnerability and say that it is unlikely that it will be used since the circumstances are so precise. I don’t know about you but I stay logged in to Gmail and other Google services all the time while browsing (Gmail Chat anyone?). I just don’t see why they don’t change it, as far as I understand it would be enough to add an extra authentication (i.e. ask for password again) to render the exploit useless, so why not Google?

“Proof-of-Concept” – Seclists

Article (in Swedish) – IDG

Share