Google's GMail system suffered from a massive flaw where random GMail users may have had some of their mail passed to other users that it was not intended for.
ad834f68853ae4b16f82806d042e585f44aed8f418930be486d555748e755404<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>GMail Messages are Vulnerable to Interception</title>
<base target="_blank">
</head>
<body bgcolor="#666666" text="#FFFFFF" link="#FFFF00" vlink="#FFFF00" alink="#FFFF00">
<div align="center">
<table border="2" width="100%" cellpadding="15" cellspacing="0" bgcolor="#000000" bordercolor="#000000">
<tr>
<td bgcolor="#000000" width="20%">
<p align="left"><font face="Arial" size="2">The HBX Networks<br>
UNIX Community Group</font></td>
<td bgcolor="#000000" width="60%">
<p align="center"><b><font color="#FFFFFF" face="Arial" size="4">GMail
Messages are Vulnerable to Interception<br>
</font><font color="#FFFFFF" face="Arial" size="3"><br>
</font><font face="Arial" size="2" color="#FFFF00">UPDATE</font><font color="#FFFFFF" face="Arial" size="2">:
Big fixed in less than an hour from mainstream publication. See
below.</font></b></td>
<td bgcolor="#000000" width="20%">
<p align="right"><font color="#FFFFFF" face="Arial" size="2">January 12,
2005</font></td>
</tr>
<center>
<tr>
<td width="100%" colspan="3" bgcolor="#333333">
<blockquote>
<p align="left"><font face="Arial" size="4"><b>The Discovery</b></font></p>
</blockquote>
<p align="left"><font color="#FFFFFF" face="Arial">It all started about 3
days ago when MrYowler and I were working on a mailing list script to send
out a batch of newsletters for a <a href="http://dump.hbx.us/free_hacking_shells/">free
hacker-friendly shell service</a> we operate. We made the decision to keep it
simple; a Perl script based upon the Net::SMTP CPAN module. Being
the Perl guru that MrYowler is (shut up! people will start having
expectations of me! ;-P), he had one whipped up in about 20
minutes. In the course of testing the script, we cranked out 10
newsletters to our GMail inboxes. We were a little shocked with that
happened next.</font></p>
<p align="left"><font color="#FFFFFF" face="Arial">MrYowler opened up his
mailbox, and noticed the email had arrived just fine. He clicked on
the subject line, and as expected, the message showed correctly.
However, when he clicked the "Show options" link, the
"Reply To" field in the email header that GMail displayed
contained what appeared to be HTML code! Upon further inspection, we
realized that it was the message body of another person's HTML-formatted
email message.</font></p>
<blockquote>
<p align="left"><font face="Arial" size="4"><b>The Research</b></font></p>
</blockquote>
<p align="left"><font color="#FFFFFF" face="Arial">Wondering if something
had happened during the message transmission, we viewed the message source
via GMail's "Show original" link. In the source, we did
not see any of the HTML code that GMail was showing us. No HTML at
all, as we did not even use it in our newsletter. It appeared as a
regular run-of-the-mill plain text message.</font></p>
<p align="left"><font color="#FFFFFF" face="Arial">We became curious as to
what had gone wrong, and whether it was an error in the script, or in the
GMail messaging system. We examined the the output of our Perl script,
and discovered that it was not transmitting the "From" header
(in the message body) correctly - the trailing ">" character
was missing in the address area.</font></p>
<p align="left"><font face="Arial"><font color="#FFFFFF">Where it should
have been "From:<hbxnetworks@gmail.com<blink>></blink>",
we had "From:<hbxnetworks@gmail.com".</font></font></p>
<p align="left"><font color="#FFFFFF" face="Arial">This, apparently, was
enough to get GMail to provide us with some portion of someone else's
messages.</font></p>
<p align="left"><font color="#FFFFFF" face="Arial">We speculate that there
is a subroutine which determines where the "From" address
component of a message, ends - and that this subroutine relies upon the
closing ">" bracket to distinguish this end. When
unable to find this character prior to a carriage return, it simply
continues to read past the end of the allocated buffer for this component,
until it either encounters this character in whatever data happens to be
there, or until some upper buffer size limit is reached. We remain
unsure of that buffer size limit, and whether, in fact, one exists.</font></p>
<p align="left"><font color="#FFFFFF" face="Arial">We propose that the
correct solution to this problem, might be to also search for
non-displayable data, such as carriage returns, in this area, and to
terminate the field on this basis. Alternatively, if the size of the
field is determined separately, when allocated; that information could be
retained, as a criterion for failure conditions, when the field is
parsed.</font></p>
<p align="left"><font color="#FFFFFF" face="Arial">It is possible that a
large buffer area is being allocated, and then being populated only
partially. This being the case (if so), then the data that we are
seeing is what was left in memory, after the last time that this memory
area was returned to the memory manager, and this error does not represent
a buffer overflow, but rather, a poorly-managed boundary condition in the
GMail server-side software.</font></p>
<p align="left"><font color="#FFFFFF" face="Arial">Regardless of the
specific failure, the result is a compromise of the privacy of
communications over GMail. As demonstrated in the examples (below),
message content and address information are easily - if somewhat randomly
- available to unintended recipients. Usually, this only permits an
attacker to examine recently-arrived spam in random user's inboxes - but
(as noted in <a href="http://fetusinbloom.com/cia/2.png">one example</a>)
message content does occasionally become more interesting.</font></p>
<blockquote>
<p align="left"><font face="Arial" size="4"><b>The Conclusions</b></font></p>
</blockquote>
<p align="left"><font color="#FFFFFF" face="Arial">We do realize that
GMail is an invitation-only service, in a beta-test state of
development. Nevertheless, many people rely upon GMail heavily, and
many more people are forced to communicate with GMail users, because of
this reliance. These people should expect their communications to be
vulnerable to interception, at least until GMail corrects the issue.
And the appearance of this issue, at the user level, probably indicates a
failure in GMail's code review and/or quality assurance standards, which
may result in other, similar errors. We did not explore GMail for
additional such errors, but based upon the nature of this one, we are
confident that such exploration would bear interesting fruit. (Note
to GMail's development teams: we are available for hire!
Cheaply! ;-P)</font></p>
<p align="left"><font color="#FFFFFF" face="Arial">So... If you are
a regular GMail user - or someone that corresponds with one - you might
want to either rethink the privacy of your communications, or perhaps <a href="http://gmail.google.com/support/bin/request.py?ctx=gmail&direct=1">make
some noise with the folks at Google's email service</a>. And don't
forget to tell them that <a href="mailto:hbxnetworks@gmail.com">MrYowler
and I</a> need jobs... ;-P (Note that we are using a GMail address,
so any job offers are probably not going to be well-kept secrets...
;-P)</font></p>
<blockquote>
<p align="left"><font face="Arial" size="4"><b>The Evidence</b></font></p>
</blockquote>
</center>
<div align="center">
<table border="1" cellpadding="15" cellspacing="5" width="728" bordercolor="#C0C0C0">
<tr>
<center>
<td bgcolor="#000000" valign="top" width="50%">
<p align="center"><b><font face="Arial" size="3"><a href="http://www.personal.kent.edu/~jkgreen/gmail/1.png">Screen Capture #1</a><br>
</font><font face="Arial" size="2">Our Email's </font></b><b><font face="Arial" size="2">Source</font></b></p>
<p align="left"><font color="#FFFFFF" face="Arial" size="2">In this
image you see the source code used for all of our "GMail Bug
Test" emails. The plaintext email consists of only the
"Subject" and "From" headers. Notice the
">" is missing in the "From" header.</font></td>
<td bgcolor="#000000" valign="top" width="50%">
<p align="center"><b><font face="Arial" size="3"><a href="2.png">Screen Capture #2</a><br>
</font><font face="Arial" size="2">Password Exposure</font></b></p>
<p align="left"><font face="Arial" size="2">In this image you see a
message containing a URL alongside a login name and password.
(Censored for protection of those involved).</font></td>
</center>
</tr>
<center><center>
<tr>
</center>
<td bgcolor="#000000" valign="top" width="50%">
<p align="center"><b><font face="Arial" size="3"><a href="http://www.silenceisdefeat.org/~haxor/tmp/3.png">Screen Capture #3</a></font><font face="Arial" size="2"><br>
Yahoo Group's Message</font></b></p>
<p align="left"><font face="Arial" size="2">In this image you see what
appears to be a group mailing on the Yahoo! "Egypt
Developers" Group. (Names & email addresses censored).</font></td>
<td bgcolor="#000000" valign="top" width="50%">
<p align="center"><b><font face="Arial" size="3"><a href="http://www.silenceisdefeat.org/~haxor/tmp/4.png">Screen Capture #4</a></font><font face="Arial" size="2"><br>
Large Computer Purchase</font></b></p>
<p align="left"><font face="Arial" size="2">In this image you see a
receipt or quote for an online purchase of computer equipment, totaling
$4,767.00.</font></td>
</center>
</tr>
<center><center>
<tr>
</center>
<td bgcolor="#000000" valign="top" width="50%">
<p align="center"><b><font face="Arial" size="3"><a href="http://www.milatic.net/tmp/5.png">Screen Capture #5</a></font><font face="Arial" size="2"><br>
Jack Rabbit Vibrator Features</font></b></p>
<p align="left"><font face="Arial" size="2">This message describes the
features of one "Jack Rabbit Vibrator," a 7.5"
Multi-Speed toy of sorts.</font></td>
<td bgcolor="#000000" valign="top" width="50%">
<p align="center"><b><font face="Arial" size="3"><a href="http://www.milatic.net/tmp/6.png">Screen Capture #6</a><br>
</font><font face="Arial" size="2">Medicare Spam</font></b></p>
<p align="left"><font face="Arial" size="2">This message appears to be
a spam of some kind, advertising diabetic supplies with no
paperwork. The email of the intended recipient (in the form of a
removal link) has been censored.</font></td>
</center>
</tr>
<center><center>
<tr>
</center>
<td bgcolor="#000000" valign="top" width="50%">
<p align="center"><b><font face="Arial" size="3"><a href="http://www.bhsecurity.com/google/7.png">Screen Capture #7</a><br>
</font><font face="Arial" size="2">Samsung Warning?</font></b></p>
<p align="left"><font face="Arial" size="2">This message seems to make
a lot of calls to files called "samsung_warning_XX.jpg".
We haven't tried to figure out what it is about; but we fell it is
probably just a spam.</font></td>
<td bgcolor="#000000" valign="top" width="50%">
<p align="center"><font face="Arial" size="3"><b><a href="http://www.bhsecurity.com/google/8.png">Screen Capture #8</a></b></font><b><font face="Arial" size="2"><br>
Email Ridden Spam</font></b></p>
<p><font face="Arial" size="2">This spam message had the intended
recipient's email address scattered all though it. We had to
censor quite a lot on this one.</font></td>
</tr>
<tr>
<td bgcolor="#000000" valign="top" width="50%">
<p align="center"><font face="Arial" size="3"><b><a href="http://www.signalgraph.com/tmp/9.png">Screen Capture #9</a></b></font><b><font face="Arial" size="2"><br>
Cheap Software Spam</font></b></p>
<p align="left"><font face="Arial" size="2">This spamvertisement is
advertising cheap software. The intended recipient's email (in
the form of a removal link) has been censored.</font></td>
<td bgcolor="#000000" valign="top" width="50%">
<p align="center"><b><font face="Arial" size="3"><a href="http://www.signalgraph.com/tmp/10.png">Screen Capture #10</a></font><font face="Arial" size="2"><br>
More Cheap Software Spam</font></b></p>
<p align="left"><font face="Arial" size="2">Most likely the same
spammer as example #9, but with a different intended recipient.
GMail must get a lot of these.</font></td>
</center>
</tr>
<tr>
<td bgcolor="#000000" valign="top" width="100%" colspan="2">
<p align="center"><script type="text/javascript"><!--
google_ad_client = "pub-0172616624539406";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_channel ="3798298253";
google_ad_type = "text";
google_color_border = "000000";
google_color_bg = "000000";
google_color_link = "FFFF00";
google_color_url = "FFFFFF";
google_color_text = "FFFFFF";
//--></script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script></td>
</tr>
</table>
</div>
<blockquote>
<br>
<hr>
<p align="center"><font face="Arial"><b><font size="6">UPDATE<br>
</font>January 13, 2005</b></font></p>
<p align="center"><font face="Arial"><b>Google has informed us that the <font color="#FFFF00">bug
was fixed</font> about <font color="#FFFF00">one hour</font> after our
story broke on Slashdot.</b></font></p>
<p align="center"><font face="Arial"><b>We are currently preparing a follow-up,
as well as a more detailed timeline of events relating to this bug.</b></font></p>
<p align="center"><font face="Arial"><b>Please check back for updates as
they become available.</b></font></p>
<p align="center"><font face="Arial" size="2"><b>You may also find more information
via Google News:<br>
</b></font><font face="Arial" size="4"><b><a href="http://news.google.com/news?q=gmail+bug">http://news.google.com/news?q=gmail+bug</a></b></font><font face="Arial"><b><br>
</b></font></p>
</blockquote>
</td>
</tr>
</table>
</div>
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed