Google responded yesterday to a bug that would allow users of the company’s Gmail beta software to e-mail themselves a message which would then drag other information from other e-mails transmitted with the service.
While a Unix community group known as HBX Networks detailed the quirk and provided examples of how to get data from strangers’ e-mail, including passwords, Google reported it had addressed the problem by disallowing e-mails with the formatting at issue shortly after it was made public.
Cause for Concern?
The company, known for pushing fresh code into use with its beta projects, was praised for its quick response. However, the researchers who found the bug said its cause — “poorly-managed boundary condition in the Gmail server-side software” — indicated poor software review and potential problems that are similar.
“And the appearance of this issue, at the user level, probably indicates a failure in Gmail’s code review and/or quality assurance standards, which may result in other, similar errors,” said the site of HBX Networks, self-described as “a hacker-friendly community project dedicated to spreading awareness of the FreeBSD Computer Operating System.”
Note to Self
Two members of HBX reported on their site yesterday they had stumbled upon the Gmail glitch while working on a script to send newsletters with the Google e-mail system, announced last year and currently in beta testing with a limited number of users.
Those disclosing the issue, which required an alteration of the “From” field of the e-mail sent to oneself, speculated it was caused by a buffer or memory error in the Gmail system.
“Regardless of the specific failure, the result is a compromise of the privacy of communications over Gmail,” the group said, adding that some of the information obtained through the technique was sensitive, including a password. “Usually, this only permits an attacker to examine recently arrived spam in random user’s inboxes — but (as noted in one example) message content does occasionally become more interesting.”
Google Gets on It
While there was criticism of the public disclosure of the issue by HBX, Google responded to the Gmail bug quickly by stopping the acceptance of the malformed messages, according to a post by Google program manager Chris DiBona on the popular technology site Slashdot.
“Previous e-mails that had this problem will also no longer be accessible,” DiBona wrote, adding that readers and others can send reports of similar issues and bugs to a Google security e-mail address. “We appreciate your patience and we’re sorry about the bug,” DiBona added.
Google did not respond for further comment, but DiBona did post in a separate article and forum on the matter, referring to his Slashdot post and informing readers the issue was “Already fixed.”
Code on the Go
Ryan Russell, an independent security expert and author, told TechNewsWorld that he was pleased by Google’s fast response to the issue. However, Russell also agreed with the HBX proposition that the issue indicated a failure to some degree of Google’s software development process.
Nevertheless, Russell said Google is no worse than any other software maker in the world in terms of software quality assurance.
Russell also said Google has shown in the past — with software rollouts and services down at times — that its beta code is truly in a testing phase.
“Google likes to do a lot of work on the fly,” he said.
The security expert added that Gmail has been under the microscope for some time, and will continue to be prodded by researchers and others.
“We’ve seen a lot of discussion on the Internet about poking at Gmail, so they’ve been under a lot of scrutiny,” Russell said.