Gmail: Lean, Mean Spamming Machine!

by Shijaz Abdulla on 12.05.2008 at 11:35

A "serious security flaw" in Gmail turns Google’s e-mail service into a spamming machine, according to a recent security report.

INSERT, the Information Security Research Team, has created a proof of concept that exploits the "trust hierarchy" that exists between mail service providers. By exploiting a flaw in the way Google forwards email messages, a spammer can send thousands of bulk e-mails through Google’s SMTP service, bypassing Google’s 500-address bulk e-mail limit and identity fraud protections.

Since email providers like Gmail are "auto-whitelisted" by ISPs and blocklist providers, the spam messages sent from Gmail are not looked upon with suspicion by many anti-spam technologies, which further magnifies the risk.

The INSERT report suggests that it does not require a rocket scientist to exploit this flaw:

In this regard, this document presents a vulnerability report and a proof of concept attack that demonstrate how anyone with no special internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers is able to exploit a single Gmail Account in order to be granted nearly unrestricted access to Google’s massive white-listed SMTP relay infrastructure

At the time of this writing, Google has not offered any official comment.

GMail user data exposed in Kuwait

by Shijaz Abdulla on 01.03.2008 at 16:03

Talk about security – and Google.

GMail users in Kuwait and some other countries reporting being able to read other GMail users’ email without having to log in.

Full Story:
http://www.news.com/8301-10784_3-9875714-7.html

Google claims that an ‘ISP caching problem’ that allowed users to log in to other users’ mailboxes. This talks volumes about Google’s security, doesn’t it? Does this mean that an ISP can break Gmail security if it really wants? Wait a minute – how can ‘caching’ at the ISP preserve Gmail sessions? Some neat security, huh?

No wonder Gmail is still in Beta.