Google confirmed that it has quietly fixed a security flaw in its Gmail service that could have allowed attackers to gain complete control of other users’ accounts.
Security researchers in Spain exposed a flaw in the way Google authenticates its users, allowing the breach in the system that counts more than 5 million users.
Last month the problem was reported to Google by members of the hacker site Elhacker.net, the site says Google fixed the problem on October 18; four days after a security researcher called ANELKAOS alerted the company to the problem, though without any notification to the public.
The company’s confirmation followed the blow-by-blow public disclosure of the bug on the http://www.elhacker.net Web site.
The elhacker.net advisory described how a Gmail user token could be used in conjunction with other hacking tricks to take control of the victim account.
Besides publishing the information on Elhacker, the site said the flaw had been demonstrated to the editors of Spanish IT security magazine Seguridad0.
However, Google downplayed the seriousness of the flaw, saying it could only be exploited if a user provided their authentication token to the attacker, Google spokesperson Sonya Boralv told Ziff Davis Internet News that a successful attack would require the victim to open up an authenticated token and willingly give it to the attacker. The authentication token is a string that appears in the browser’s address bar after a user logs in.
The risk of an actual attack is so slim; she said the company did not consider it as security vulnerability. Boralv said the authentication token is totally encrypted and cannot be sniffed by an attacker.
Nevertheless, we have made some modifications to Gmail to mitigate these kinds of issues in the future, Boralv added. In the face of concerns that Google never notified users of the Gmail issue, Boralv insist that the company follows security best practices.
We take security very seriously, investigate vulnerability reports immediately and resolve them with highest priority. We looked into this issue and learned that it can only occur if a user knowingly provides their authentication token, she said.
All Google products are put through a rigorous security review process to identify security issues and fix them before the product is released. If security vulnerabilities are identified after the product is available, we fix them immediately and automatically update the service for our customers, Boralv said.
To avoid this problem, Boralv said, Google tries to educate its users not to provide sensitive information to unidentified individuals. Google also provides anti-phishing guidance to its users.