Skip to content

Category: Google

Google Responds to GMail Vulnerability Allegations

Published by Will Chatham on 11/26/2008

Google says the recent GMail account breeches were due to typical phishing scams, not a vulnerability in GMail itself.

With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as “google-hosts.com” that they set up purely to harvest usernames and passwords.

They don’t say exactly how the usernames and passwords were harvested, however.  Were people just dumb/gullible enough to type their Google usernames and passwords into some other web site?  Or was there a way for these phishing sites to grab the authentication info from the user’s browser?  Is this the fault of the web browser or a faulty plugin?

While the fingers continue to be pointed, the specific methodology for adding malicious filters to a GMail account by way of a phishing attack remains a threat.

GMail Vulnerability? Watch Your Back.

Published by Will Chatham on 11/23/2008

I’ve been following the story about the domain name hijacking of MakeUseOf.com the last few weeks with interest.  All signs are pointing to the domain thief having cracked the MakeUseOf.com Gmail account in order to retrieve their GoDaddy.com password and transfer the owenership of the domain.

This is not good for any GMail user, let alone domain name owners who have registered their domains through GMail.

Apparently, this one hacker has stolen over 850 domains this way, and holds them for ransom at $2000 a piece.

The latest part of the saga details how the MakeUseOf.com folks think this happened, right down to the hacking of the GMail account.  If there is indeed a security flaw in GMail, which there appears to be, MakeUSeOf.com offers prudent steps to take in order to secure yourself (emphasis added by me):

(1) Well, my very first advice would be to check your email settings and make sure your email is not compromised. Check fowarding options and filters. Also make sure to disable IMAP if you don’t use it. This also applies to Google Apps accounts.

(2) Change contact email in your sensitive web accounts (paypal, domain registrar etc.) from your primary Gmail account to something else. If you own the website then change the contact email for your host and registrar accounts to some other email. Preferably to something that you aren’t logged in to when browsing web.

(3) Make sure to upgrade your domain to private registration so that your contact details don’t show up on WhoIS searches. If you’re on GoDaddy I’d recommend going with Protected Registration.

(4) Don’t open links in your email if you don’t know the person they are coming from. And if you decide to open the link make sure to log out first.

I would add to that list:

(5) Always use secure, encrypted GMail.  There is an option at the bottom of the main Settings page in GMail for “Always use https” under the “Browser Connection” heading.  Select this and leave it selected!  Otherwise, anything you do in GMail is sent unencrypted over the Internet.  Not good!

Keep in mind that this security flaw not only matters to domain name owners, but to anyone who has any sensitive email in their GMail account, whether it be online banking info, love letters, or whatever.

This will be interesting to watch, and I hope Google takes notice of this.

UPDATE:  This fellow here has posted a proof-of-concept on creating malicious filters in someone’s GMail account.

Google Chrome – Installation

Published by Will Chatham on 9/2/2008

Chrome just came out, and I downloaded it and have it installed.  Expect a review here once I have time to kick the tires a little bit.

One thing that made me chuckle during the installation was a dialog box that popped up when I told Chrome to import my settings from Firefox:

Sadly?  I’m impressed they feel so compassionate about the fact that Firefox was open on my computer.

Anyway, the first 3 minutes of messing with Chrome have been a series of “oooh cool!” moments for me.  Look for more opinions soon…

Google Chrome – The GBrowser

Published by Will Chatham on 9/1/2008

Holy friggin moly Google is coming out with a web browser tomorrow.

Presenting Google Chrome.

This should be interesting.

I can only wonder:

  • Will it have plugins that could ever match those of Firefox?  Enough to lure me away?
  • What will standards support be like?  Will it pass the Acid3 test?
  • How pervasive will it end up being?  Could it really be the Windows killer?
  • How will it tie into Google apps, docs, search, and services?

I know what I’ll be doing tomorrow…