Gmail Security Flaw Proof of Concept
by Brandon
Sunday, November 23rd, 2008 Permalink

GC Update November 27th, 2008 5:22am

Aibek from makeuseof has commented stating that only one person involved in the recent filter-related domain heist was contacted by Google before they made an official statement on Tuesday.

“Nope they haven’t contacted me. I also talked to both Florin and Edin and only one of them was contacted by Google.”

###

OFFICIAL UPDATE FROM GOOGLE:

Gmail Security and Recent Phishing

We’ve seen some speculation recently about a purported security vulnerability in Gmail and the theft of several website owners’ domains by unauthorized third parties. At Google we’re committed to providing secure products, and we mounted an immediate investigation. Our results indicate no evidence of a Gmail vulnerability….

###

Is it possible for someone to create a malicious filter without having access to your Gmail username and password? No, however, they can force you to create the filter without your knowledge.

The blogosphere is buzzing about a Gmail Security Flaw that has caused some people to lose their domain names registered through GoDaddy. 

To understand how this exploit works let me first explain how I would carry it out (if I were a blackhat). Then we can move on and explain the exploit in detail. Let’s use a current example and assume that I was trying to steal MakeUseOf.com and I already knew it was registered by GoDaddy. Let’s also assume that I knew the owner’s Gmail address. I would want to create a filter like the one in the image above, where all email sent from GoDaddy Support was automatically deleted and forwarded to my email address.

Once the filter was setup I would simply head on over to GoDaddy’s Customer Number Retrieval page and enter the following info:

 

Once I press continue an email is sent to the domain owner’s email address but since I’ve setup a filter he never sees it in his inbox. Instead, it is sent to the trash and forwarded to my email address. With the GoDaddy Account Number I can now proceed to the GoDaddy Password Retrieval page:

 

 

Once again I simply press continue and an email containing an Authorization Code is sent the the owner’s email address but the filter deletes it immediately and forwards it on to me. I now have the ability to take over this person’s GoDaddy account and transfer MakeUseOf.com or any domain within that account to my registrar.

Exploit in Detail

So how do we go about creating this filter in the first place?

When you create a filter in your Gmail account, a request is sent to Google’s servers to be processed. The request is made in the form of a url with many variables. For security reasons, your browser doesn’t display all the variables contained within the url. Using FireFox and a plugin called Live HTTP Headers, you can see exactly what variables are sent from your browser to Google’s servers.

Here is an example of a request url sent to Google to create a filter exactly like the one in the image above. I’ve broken down the url by variable so it’s easier to read:

http://mail.google.com/mail/
?ui=2
&ik=ad7df7dc23 *Unique Account Identifier*
&at=xn3j35svndkg48yp2qgmpt99ivcqdc *Session Authorization Key*
&view=up
&act=cf
&rt=h
&zx=pjo6fg-k2ljzh&search=cf
&cf1_from=support%40godaddy.com
&cf2_emc=true&cf2_email=hacker%40hacker.com
&cf2_tr=true

Through a process of elimination you can determine the role of each variable. I have highlighted the two most important variables, ik & at. The ik variable is the equivalent of a username, each account has one and it never changes. Obtaining this variable is tricky but possible. I’m not going to tell you how to do it, if you search hard enough online you’ll find out how.

Obtaining the at variable on the other hand can be done by tricking a user into visiting a page that contains malicious code that subsequently steals a cookie from the user called GMAIL_AT which is the same as the at variable, just named differently. Once the cookie is stolen the malicious code creates a hidden iframe with a url containing the variables that authorize Gmail to create a filter for your account.

What Google can do to prevent this attack from resurfacing?

Instead of having the at variable expire after each session, they should have the at variable expire after each request.

What you should do if you have a Gmail Account?

Check your filters and make sure that nothing seems out of the ordinary. If you’re using Firefox, you can download an extension called NoScript which helps to prevent you from becoming a victim of one of these attacks. Overall, though, be cautious.

Why am I sharing this information with you?

Well… Google has a way of fixing credible threats right away AND unless you’re extremely familiar with manipulating the purpose of software, it’s going to be difficult.

Related Reading

First Filter Exploit POC [has since been patched]

David Airey Loses His Domain [December 2007]

Questions — Concerns

Email: gc@anon.otherinbox.com

  • TwitThis
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Mixx
  • Digg
  • E-mail this story to a friend!
  • Reddit

65 Comments

  1. Thanks for sharing!

    I guess we should stop sending private/critical emails from Gmail. Google will obviously fix this problem very soon but my faith in Gmail has lost forever. Perhaps other should do the same, use Gmail strictly for casual purposes.

    Comment by Home Biss — November 23, 2008 @ 2:04 pm

  2. [...] Lenssen spotted a post by Brandon at GeekCondition that explains the general idea behind an attack that can be used to set up filters in your Gmail account without your knowledge. It’s important [...]

    Pingback by Adjika.net - Hardware and Software news » Blog Archive » Gmail exploit lets attackers forward your email to them — November 23, 2008 @ 2:39 pm

  3. [...] Brandon has written an informative article on this exploit over at geekcondition.com. [...]

    Pingback by Gmail Security Flaw Proof of Concept | Jeber's Tech Blog — November 23, 2008 @ 4:47 pm

  4. [...] to a proof of concept by Geek Condition, there is a security flaw in Gmail that allows an attacker to forward GoDaddy account reset [...]

    Pingback by The Gmail Hack Heard Round the Web — November 23, 2008 @ 5:10 pm

  5. Nice article. This thoroughly explains the recent hijacking of many Gmail accounts. I really hope this easy to understand explanation helps us reach whatever solution is needed. Seems to me like its a security fault that Google should address. After reading about this recently I feel insecure logging into Gmail without checking my filters each time to make sure only the ones I’ve set are there.

    Comment by Adam — November 23, 2008 @ 6:03 pm

  6. Brandon,

    Thanks a lot for explaining the nature of the hack. I hope Gmail folks will take your advice and make the verible expire after each request.

    Aibek
    MakeUseOf.com

    Comment by Aibek — November 23, 2008 @ 6:39 pm

  7. Yeah, i will be more aware of visiting suspected malicious website. And always sign-out any account after finish.

    Comment by don — November 23, 2008 @ 7:14 pm

  8. Wow! That’s a really sneaky but ingenious way of stealing domains. I hope they get this fixed ASAP!

    Comment by Jason Green — November 23, 2008 @ 7:43 pm

  9. [...] How This Gmail security vulnerability can be utilize by an attacker[via Gmail Security Flaw Proof of Concept] [...]

    Pingback by Gmail Security vulnerability: An Attacker Can Forward Your Gmail E-Mails | ReadersZone — November 23, 2008 @ 8:06 pm

  10. [...] Domains Get Stolen! It looks like there may be a serious security flaw in Gmail. According to GeekCondition.com, a hacker can set up a filter where all emails sent from, say, GoDaddy Support is automatically [...]

    Pingback by Hacker Dupes GoDaddy into Transferring Stolen Domain - Indian Domain Names Forum — November 23, 2008 @ 8:26 pm

  11. It’s also worthwhile pointing out that it’s a good idea to set Gmail to always connect through SSL, so you can avoid people being able to eavesdrop on your headers also.

    Comment by Helen — November 23, 2008 @ 8:27 pm

  12. So, if you never have (and never will) create a filter in your gmail account, you are not vulnerable to this - correct? Can anyone confirm if this is correct?

    Comment by Scott — November 23, 2008 @ 8:31 pm

  13. @Scott

    No — You would still be vulnerable to this. :\

    Comment by Brandon — November 23, 2008 @ 9:05 pm

  14. [...] attacker to set up filters on users’ e-mail accounts without their knowledge, according to a proof of concept posted Sunday at [...]

    Pingback by Gmail Exploit May Lead to Domain Hijacking | Mahesh Kukreja - WebMaster Blog, SEO Tricks & Tips, Make Money Online — November 23, 2008 @ 10:27 pm

  15. Will the exploit be blocked if I always use Gmail through https://... instead of http:// and have enabled the “Always use HTTPS” option in Gmail?

    Thanks.

    Comment by gert — November 23, 2008 @ 10:27 pm

  16. I always use https://mail.google.com/mail to maintain an all SSL-enabled pages all throughout.

    By default Gmail and other Google services only use SSL for authentication and redirects you a non-SSL “account page” once authenticated.

    Gmail, Google Docs and probably some other services can be forced to use SSL all through out.

    Try it!

    Comment by rmartinez — November 23, 2008 @ 10:39 pm

  17. Well most of them will call this a security hole in Gmail but what I am more interested to know is that has Godaddy taken any action to safeguard its members ?

    Comment by Kashif — November 23, 2008 @ 10:57 pm

  18. [...] has learned of a new  security flaw proof of concept exposing a relatively difficult to exploit cross-site GMail vulnerability. Read more about this [...]

    Pingback by Proof of Concept: Gmail Forgery Hack Leads To Domain Theft — November 24, 2008 @ 12:09 am

  19. [...] out a good review of this issue: http://geekcondition.com/2008/11/23/gmail-security-flaw-proof-of-concept/.     Read More    Post a [...]

    Pingback by /dev/random » Blog Archive » Gmail Security Flaw? — November 24, 2008 @ 12:21 am

  20. [...] un récent post de GeekCondition, il est possible d’accéder et de manipuler les filtres sur votre compte. Comment c’est [...]

    Pingback by Une faille de sécurité dans Gmail ! | woodiv — November 24, 2008 @ 1:04 am

  21. [...] oferowanego przez Google’a. Nie każdy jednak wie, że był on celem ataków w ostatnim czasie. Jak ustalono, jest poważna wada w zabezpieczeniach, która pozwala zmienić informacje o koncie, bez wiedzy [...]

    Pingback by Luka w zabezpieczeniach Gmaila? - vBeta.pl - blog o internecie, baza wiedzy o nowych programach, Web 2.0 — November 24, 2008 @ 2:09 am

  22. [...] waarmee een aanvaller berichtenfilters in andermans Gmail-account aan zou kunnen maken.De kwetsbaarheid maakt gebruik van het feit dat Gmail gegevens met de servers van Google uitwisselt wanneer een [...]

    Pingback by Gmail-exploit laat aanvallers mogelijk mail doorsturen - Google — November 24, 2008 @ 3:39 am

  23. [...] GeekCondition hat einen Proof of Concept f

    Pingback by L — November 24, 2008 @ 4:05 am

  24. This is scary enuff to think what wud happen for my sites and blogs. But, I think its anyway concentrated on high end blogs with lakhs of visitors per day.

    Thanks for writing the article.

    Comment by Team Nirvana — November 24, 2008 @ 5:15 am

  25. [...] attacker to set up filters on users’ e-mail accounts without their knowledge, according to a proof of concept posted Sunday at GeekCondition.com. In his post, Brandon writes that the vulnerability has [...]

    Pingback by Gmail exploit may allow attackers to forward e-mail - The WebZappr — November 24, 2008 @ 5:41 am

  26. [...] do not have much details of this exploit although from what I can read from over here, it seems like it is some kind of Cross-site Scripting (XSS) attack rather than a CSRF (Cross-site [...]

    Pingback by Gmail Security Flaw | GNUCITIZEN — November 24, 2008 @ 6:05 am

  27. “I guess we should stop sending private/critical emails from Gmail!”

    You should stop sending private/critical email unencrypted. Nothing will ever be totally secure, but limiting potential leaks to your own and your recipients computer is a significant step in the right direction.

    There is no excuse in this day and age to send clear-text email. Encryption solutions are free, simple and plentiful.

    Comment by Frode — November 24, 2008 @ 6:44 am

  28. [...] gelen iletileri kendi adreslerine gönderebiliyorlar.GeekCondition.com isimli sitede yer alan konsept kanıtına göre, Gmail hesabı altında bir filtre yaratmak isteyen kullanıcı, Google sunucularına bir istek [...]

    Pingback by Gmaildeki güvenlik açığına dikkat | Bilgisayar — November 24, 2008 @ 7:00 am

  29. But it was fixed
    http://news.netcraft.com/archives/2007/09/30/google_fixes_gmail_crosssite_request_forgery_vulnerability.html

    Comment by Marat — November 24, 2008 @ 7:01 am

  30. [...] Gmail Security Flaw Proof of Concept. [...]

    Pingback by Gmail Security Flaw May Cause You To Lose Your Domains | Seth Goldstein Online — November 24, 2008 @ 7:08 am

  31. [...] And Gmail Security Flaw Proof of Concept [...]

    Pingback by Simple Way to Check Whether Your Gmail Account Has Been Hack or Not — November 24, 2008 @ 7:21 am

  32. [...] URL containing the variables that instruct Gmail to create a filter, as explained in greater detail here. The creation of a malicious filter means, for example, that if a Gmail address is used as the [...]

    Pingback by Domain hijack fears over Gmail exploit - Computer Forums — November 24, 2008 @ 7:29 am

  33. [...] açığı belirten orjinal yazının adresi: http://geekcondition.com/2008/11/23/gmail-security-flaw-proof-of-concept/ Bu Yaziyi [...]

    Pingback by Gmail Güvenlik Açığı | akin.ME! — November 24, 2008 @ 7:45 am

  34. [...] You can get a more elaborate idea about the Gmail hack from this article here. [...]

    Pingback by Gmail security flaw exploited by hackers | iSimplyBlog.com — November 24, 2008 @ 8:30 am

  35. Very interesting post, thanks a lot for it ;-)

    Comment by Cedric Pernet — November 24, 2008 @ 8:41 am

  36. This is a moderately difficult XSS hack. The real trick in my book would be the social engineering to trick the Gmail account holder into visiting the hacked website. I’m not sure setting the key to be a single use would solve, what if the hacker immediately submitted the filter request, wouldn’t then he be the one using up the key?

    Comment by colleen — November 24, 2008 @ 10:57 am

  37. [...] was that all victims were using Google Mail as the primary email address of their websites. Yesterday a proof of concept for a Gmail security flaw was posted at the Geek Condition blog which explains [...]

    Pingback by New Google Mail Security Vulnerability Emerges — November 24, 2008 @ 1:30 pm

  38. [...] [2] “Gmail Security Flaw Proof of Concept”, GeekCondition, November 23, 2008, http://geekcondition.com/2008/11/23/gmail-security-flaw-proof-of-concept/ [...]

    Pingback by Hacking Passwords from Google Mail Account Holders « Cyberwarfare Magazine — November 24, 2008 @ 3:53 pm

  39. [...] MeContact Me Gmail Security Flaw25Nov2008Filed under: News, TechnologyAuthor: mario In his post [Link], Brandon writes that the vulnerability has caused some people to lose their domain names [...]

    Pingback by Gmail Security Flaw - Mario’s World — November 24, 2008 @ 3:54 pm

  40. [...] questo indirizzo (in inglese) viene spiegato in dettaglio l’exploit di [...]

    Pingback by Gmail: buco nella sicurezza.... | Trucchetti.com — November 24, 2008 @ 4:00 pm

  41. [...] a un atacante fijar filtros en las cuentas de correo de los usuarios sin que lo sepan, según una prueba de concepto publicada el domingo en [...]

    Pingback by .::SRT::. » Blog Archive » Una vulnerabilidad de Gmail permitiría a atacantes reenviar correos. — November 24, 2008 @ 7:40 pm

  42. [...] attacker to set up filters on users’ e-mail accounts without their knowledge, according to a proof of concept posted Sunday at the blog Geek [...]

    Pingback by Business News Research » Gmail exploit may allow attackers to forward e-mail | Security - CNET News — November 24, 2008 @ 8:06 pm

  43. [...] http://geekcondition.com/2008/11/23/gmail-security-flaw-proof-of-concept/ [...]

    Pingback by Québec Geeks » Blog Archive » [Gmail]Bug de sécurité. XSS bug (again) — November 24, 2008 @ 8:16 pm

  44. [...] was that all victims were using Google Mail as the primary email address of their websites. Yesterday a proof of concept for a Gmail security flaw was posted at the Geek Condition blog which explains [...]

    Pingback by Efinditnow › New Google Mail Security Vulnerability Emerges — November 25, 2008 @ 1:24 am

  45. [...] dal servizio mail di Google sono in pericolo, stando a quanto sostiene Geekcondintion, che a questo indirizzo riporta un’analisi tecnica dettagliata, spiegando la vulnaribilità del [...]

    Pingback by Hacking: Indirizzi Gmail in pericolo! Scoperto bug, a richio i dati di accesso. | Area3000 — November 25, 2008 @ 3:54 am

  46. [...] Detalhes sobre a vulnerabilidade podem ser obtidas através do Proof-Concept: - http://geekcondition.com/2008/11/23/gmail-security-flaw-proof-of-concept/ [...]

    Pingback by Gmail Exploit | hacker.com.br — November 25, 2008 @ 6:14 am

  47. It’s also a good idea to spend a little bit more for domain privacy. Your real e-mail will be masked in the domain record by a forwarder. :)

    Comment by MKR — November 25, 2008 @ 6:21 am

  48. [...] From: http://geekcondition.com/2008/11/23/gmail-security-flaw-proof-of-concept/ [...]

    Pingback by GoogleBig » Archive » Gmail Security Flaw Proof of Concept — November 25, 2008 @ 7:08 am

  49. [...] the news: Details on how members of the Dark Web could hijack YOUR domain if you use a popular email [...]

    Pingback by Data Security Podcast Episode 28 - Nov 25 2008 « Data Security Podcast — November 25, 2008 @ 8:07 am

  50. [...] A proof of concept illustrates a flaw in Gmail where an attacker can redirect your email to another account. [...]

    Pingback by Malware Diaries » Blog Archive » Flaw in Gmail could lead to Identity theft — November 25, 2008 @ 1:37 pm

  51. Quick question: Couldn’t this problem be eliminated by Google (speculation or not) by requiring an authenticated/SSL session to create filters?

    Comment by bedarkened — November 25, 2008 @ 5:03 pm

  52. One of our family email addresses on Google was hijacked by a Chinese electronics firm by exploiting the Vacation Responder and Signature setting. I removed the text, set setting to https and changed password. Take a look at your settings and be aware.

    Comment by Allen — November 25, 2008 @ 7:33 pm

  53. [...] Gmail Security Flaw PoC [...]

    Pingback by Network Security Podcast » Blog Archive » Network Security Podcast, Episode 129 — November 25, 2008 @ 8:31 pm

  54. [...] it was claimed, has lead to several domain thefts; the “temporary fix” as suggested by Geek Condition, was to install the Firefox NoScript [...]

    Pingback by Gmail “Hack” is Nothing But a Phishing Scheme — November 26, 2008 @ 2:10 am

  55. [...] it was claimed, has lead to several domain thefts; the “temporary fix” as suggested by Geek Condition, was to install the Firefox NoScript [...]

    Pingback by Gmail “Hack” is Nothing But a Phishing Scheme | World News — November 26, 2008 @ 2:53 am

  56. [...] hack, as it was claimed, has lead to several domain thefts; the “temporary fix” as suggested by Geek Condition, was to install the Firefox NoScript [...]

    Pingback by Aszir’s blog on Friendster » Blog Archive » Gmail “Hack” is Nothing But a Phishing Scheme — November 26, 2008 @ 3:13 am

  57. [...] GeekCondition.com blog said in its post that Brandon Partridge the Web developer did warn that such attackers could force an unsuspecting [...]

    Pingback by Google Gmail vulnerabilities blamed on users and Phishing : Product Reviews Net — November 26, 2008 @ 5:04 am

  58. [...] 上星期有一个劫持域名的故事在网络上比较热门,几乎所有受害者都使用Gmail来作为注册域名的联系邮件。现在,利用Gmail的漏洞已经得到证实,有一篇文章具体介绍了这个如何通过Gmail来劫持域名的过程。 [...]

    Pingback by 利用Gmail漏洞劫持域名 » Ghacks CN — November 26, 2008 @ 6:02 am

  59. Hmm this is strange, cuz I did try to build the filter creation URL with my account information and it did create the filter. But I was logged into my account and didn’t signed off properly when I pasted the URL into the browser.

    Then again, a lot of people don’t click the ‘Sign Off’ option when they leave their inbox. So I’m not totally convinced…

    Comment by CombatNerd — November 26, 2008 @ 7:06 am

  60. [...] quanto pubblicato domenica su Geek Condition, un blogger chiamto “Brandon” ha scritto che la vulnerabilità di Gmail ha fatto perdere ad [...]

    Pingback by Gmail non era vulnerabile: era solo phishing - The Inquirer IT — November 26, 2008 @ 8:01 am

  61. [...] Rich and I mentioned a Cross Site Request Forgery(XSRF or CSRF) reported against Google by the Geek Condition blog (down as of this writing, presumably due to traffic from Google).  Neither Rich nor I were [...]

    Pingback by Network Security Blog » Google security denies XSRF reports — November 26, 2008 @ 8:09 am

  62. [...] Rich and I mentioned a Cross Site Request Forgery(XSRF or CSRF) reported against Google by the Geek Condition blog (down as of this writing, presumably due to traffic from Google).  Neither Rich nor I were [...]

    Pingback by Network Security Blog » Google security denies XSRF reports — November 26, 2008 @ 8:09 am

  63. [...] GeekCondition hatte am Wochenende von einer Sicherheitsl

    Pingback by Google: Keine Schwachstelle in Google Mail - Internet und Kommunikation | ZDNet.de News — November 26, 2008 @ 9:05 am

  64. [...] Gmail Security Flaw Proof Of Concept - Comments About This on YCombinator - (Nov. 26′th) Gmail Security and Recent Phishing [...]

    Pingback by BREAKING: New Gmail Security Flaw. More Domains Get Stolen! | MakeUseOf.com — November 26, 2008 @ 10:15 am

  65. Interesting this article mentions GoDaddy. There are sites like “000webhost com” systematically abusing both GoDaddy (hosted there, just like others such as “AdSenseBoy” and several others) and Google from more than one direction!!!

    They get themselves advertised through AdWords just to lure people onto those “honeypot” sites and fake domain hosting providers where thousands of phishing, spam, virus or copyright violating sites exist in their swamp.

    I have documented proof about AdSense codes they stole and abused (trying to “optimize” it, meaning digitally forge money!) which Google also denies so far. Claiming they have nothing to do with it, but both its money has been lost to me and Thousands of people using those fake hosts were scammed hundreds of $ in affiliate money which if so only the Lithuanian criminals behind it grab and keep.

    Comment by CAT — November 26, 2008 @ 1:09 pm

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.