Exploit reveals the ugly side of keeping data in the cloud

A bug found in the Google Calendars beta exposes the real name of anyone registered with a Gmail account.

Originally posted at the Securiteam blog, the bug allows anyone with a Google Calendar account to reveal other Gmail account holders’ (registered) real names simply by hitting the “back” button after sending an invite.

Internal testing by DailyTech finds that the bug is still active at the time of this writing.

Worse, reveals Canadian blogger Holden Karau, is that the bug works for any account in Gmail’s system, including private Gmail accounts operating under other domains.

Full story: dailytech.com 

Labels: calendar, flaws, Gmail

A recently-discovered flaw in Gmail is capable of turning Google's e-mail service into a highly effective spam machine. According to the Information Security Research Team (INSERT), Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google's SMTP service without fear of detection. This attack bypasses both Google's identity fraud protection mechanisms and the current 500-address limit on bulk e-mail.

A flaw in Gmail that allows spammers to send a potentially unlimited number of messages is definitely a problem, but there's another, external factor that could exacerbate any potential spam attack. As the volume of spam has risen—it currently accounts for 95 percent of all e-mail traffic—many e-mail providers have adopted whitelists and blacklists as a first line of defense against the flood. An e-mail from johdoe@awinnerisyou.com (or the corresponding IP address block) may be automatically blocked by any given e-mail service, while an e-mail from a trusted, authenticated source such as Gmail is automatically allowed through the gateway.

Full story: arstechnica.com 

Labels: e-mail, flaws, Gmail, spam

Doomwatchers count the ways

If you use Google to send email, organize photos or help administer your website, doomwatchers have cataloged three new ways to steal your data and compromise the security of your users. All three of the techniques rely on cross site scripting, or XSS, in which hackers inject unauthorized code by making it appear as if it's hosted by a trusted website.

The most serious vulnerability resided in the so-called polls application, a part of Google Groups. It made it possible to steal contacts and messages from Gmail accounts. A Google spokesman on Monday afternoon said the flaw had been fixed.

Read more: theregister.co.uk 

Labels: flaws, users

Just one day after a security researcher showed how Google's Firefox toolbar could be exploited in an online attack, a similar flaw has been discovered in the Google Desktop.

On Thursday, Google hacker Robert Hansen posted proof of concept details showing how attackers could use Google Desktop to launch software that had already been installed on the victim's computer.

The attack is hard to pull off and could not necessarily be used to install unauthorized software on the victim's PC, but it does illustrate the kind of security issues that arise with Web-based applications, said Hansen, the CEO of Web security consultancy Sectheory.com, and a contributor to the Ha.ckers.org Web site.

Full story: networkworld.com 

Labels: attack, Desktop, flaws