Google reported this morning that it had locked down a security hole in its e-mail software.
A week ago the Israeli online magazine Nata NetLife reported an exploitation of Google’s Gmail e-mail service, currently in beta testing.
Attackers, likely through a phishing approach that included a harmless-looking link to the Google site, were able to steal Gmail user cookies and access the e-mail accounts, even after passwords had been changed.
“This is the sort of security hole that crops up in services like Gmail quite frequently,” said Laura Koetzle, vice president and research director for Forrester Research. “While we wish that folks would test for these problems, it happens to be a pretty frequent occurrence.”
Where Google deviates from the norm, however, is in not causing cookies to expire when users change passwords, she said.
“Google should be using cookies as a second factor of authentication rather than the only factor of authentication,” Koetzle told TechNewsWorld.
“It’s impossible to know how many people were affected,” she continued. “In theory. Every single e-mail box could have been vulnerable.”
According to Forrester’s survey of Americans online, Gmail registers only a tiny blip on the e-mail provider radar screen. Just 16 people out of 6,427 North American online consumers surveyed said they used Gmail.
The service still requires a personal invitation from an existing user before a new user can open an account.
This membership approach doesn’t lend Google additional security because the community from which it draws is large enough to include untrustworthy elements, Koetzle said.
The invitations have been bought and sold through sites including eBay and Craigslist.