Skip navigation

Security Alert: GMAIL Session ID Design

I’ve never really bothered to look into GMAIL security because I figured, hey, it’s Google. They generally know what they’re doing. But after reading this, and living though my own experiences with my gmail account getting hacked, it made me question Google’s decision-making process.

“Here’s the exploit: All it takes to steal someone’s Gmail login account is to intercept any transaction since every single one, even images, pass a cookie which contains the session information.

Spoof the session [plug that sessionID into your request], and you get free reign to the account — including the ability to change your password. Every non-SSL session is in plain text.”

If Google really knew about this gaping vulnerability, but ruled out fixing them due to expense (!) or performance, that is pretty gross. But then, they HAD to know that the session ID was a glaring security hole. Right? And if they knew about that vulnerability, but didn’t do anything, doesn’t that show they’re making bad decisions for their users? Is there another way to look at this?

The article points out that now, finally, you can enable SSL on Gmail. But, that’s a bandaid and doesn’t help the millions of people who won’t use SSL. Security needs to be in the app logic, not the transport.

It’s bad security design to let anyone have free reign with a session ID. Ubiquitous WiFi makes it silly easy for bad guys to sniff traffic and grab session IDs at ariports, starbucks, heck, even at home.

Makes you feel a little vulnerable knowing all your public information was so nakedly exposed over the past few years, huh? Did Google know about this?

It turns out they were well aware of it. The reason Google didn’t grant users the SSL feature before, according to Perry, was because SSL is expensive. It takes a lot of bandwidth and time on both the receiver and transmitter sides to generate keys and encrypt data. Slower data connections would experience a lagging Gmail experience.

Is THAT’s why they still wrap the beta flag around gmail? “We have a glaring security hole that we’re not mentioning”?

Google should apologize and quickly patch GMAIL now so the client is forced to present other auth components before being allowed to perform restricted functions. Or, or, or. There are lots of well-known ways to make it secure. In the meantime, DEFAULT gmail to SSL, and don’t complain that buying extra NS/Citrix boxes is expensive. 🙂


Post a Comment

You must be logged in to post a comment.
%d bloggers like this: