Technology News: Security: Google Plugs Hole in Gmail

Google Plugs Hole in Gmail

By Kelly Shermach
TechNewsWorld
11/01/04 11:55 AM PT

Such security flaws are not uncommon, but Gmail deviates from the norm by not causing cookies to expire when users change passwords. "Google should be using cookies as a second factor of authentication rather than the only factor," said Laura Koetzle of Forrester Research.

Google (Nasdaq: GOOG) reported this morning that it had locked down a security hole in its e-mail software.

A week ago the Israeli online magazine Nata NetLife reported an exploitation of Google's Gmail e-mail service, currently in beta testing.

Attackers, likely through a phishing approach that included a harmless-looking link to the Google site, were able to steal Gmail user cookies and access the e-mail accounts, even after passwords had been changed.

Common Problem

"This is the sort of security hole that crops up in services like Gmail quite frequently," said Laura Koetzle, vice president and research director for Forrester Research. "While we wish that folks would test for these problems, it happens to be a pretty frequent occurrence."

Where Google deviates from the norm, however, is in not causing cookies to expire when users change passwords, she said.

"Google should be using cookies as a second factor of authentication rather than the only factor of authentication," Koetzle told TechNewsWorld.

"It's impossible to know how many people were affected," she continued. "In theory. Every single e-mail box could have been vulnerable."

Few Users

According to Forrester's survey of Americans online, Gmail registers only a tiny blip on the e-mail provider radar screen. Just 16 people out of 6,427 North American online consumers surveyed said they used Gmail.

The service still requires a personal invitation from an existing user before a new user can open an account.

This membership approach doesn't lend Google additional security because the community from which it draws is large enough to include untrustworthy elements, Koetzle said.

The invitations have been bought and sold through sites including eBay (Nasdaq: EBAY) and Craigslist.

Next Article in Security

Bagle Gets Stale But Remains a Threat
November 01, 2004

"It's the same old stuff we've seen in all the Bagle variants over the last months. The authors have just modified it to evade detection of most antivirus programs and spammed it widely," said Mikko Hyppönen of F-Secure.

More by Kelly Shermach

Does SaaS Meet the Customization Challenge?
April 17, 2007

SaaS market leaders have improved their customization options to meet most enterprise needs, says Michael Greenberg , vice president of marketing at Loyalty Lab. "Salesforce.com leads the way with their Apex platform providing a dizzying array of options to incorporate SaaS into any enterprise environment."

Getting Physical With Online Shopping
April 14, 2007

"Because each customer has a different buying style, unique selection criteria, personal motivations and shopping approach, retailers must deliver a more dynamic experience to better accommodate customer preferences," notes Errol Denger, senior strategist for WebSphere commerce at IBM.

Accenture Partner Garret Wu: Health Info Prototype Is One Small Step
April 11, 2007

"Accenture's prototype introduces both common language and data standards, and integrates information across the entire healthcare system. It enables a single view of a patient's medical information. This helps provide better patient care, more consistent care and supports the secondary use of data," said Garret Wu, a partner at Accenture Health & Life Sciences.

[Search More...]

Google	Activate Alert \| Search Archives

EBay	Activate Alert \| Search Archives