Tuesday, October 02, 2007

Cookie's Threat for GMail Users

Scary .. I turned off JavaScript when I saw this, then found that so many features of sites I use stop with that decision! :(

So I turned it back on..

clipped from www.news.com
Petko Petkov of "ethical hacking" group GNUCitizen has developed a proof-of-concept program to steal contacts and incoming e-mails from Google Gmail users.


According to Gatford, attackers could compromise a Gmail account--using a cross-site scripting vulnerability--if the victim is logged in and clicks on a malicious link. From that moment, the attacker can take over the session cookies for Gmail and subsequently forward all the account's messages to a POP account.


The problem is potentially compounded by Google's policy of retaining cookies for two years.


"Once you've managed to snarf a cookie, you can access (a user's) Gmail account without the password for the next two years," he said.


While the obvious risk is to the home user, many organizations could be exposed, since they do not filter employee e-mails sent from work to personal accounts, he added.


One work-around is to use Gmail through Firefox and disable JavaScript

blog it