ISP caching issue exposes Gmail data
Last week, when a Kuwait-based Gmail user tried logging in, he was denied access to his own account, and instead was granted access to over 30 accounts that did not belong to him. He was able to peek into other people’s private information and personal emails, including one that contained “keycodes for some embassy gate”. This incident that occurred during the last weekend was fixed on the following Wednesday.
A Google spokesman who confirmed the issue said that the problem occurred due to a caching issue experienced by the ISP in that region. However, another user in Sri Lanka reported a similar issue with his Gmail account.
The same user who faced problems with his Gmail account wrote to CNN that he had no problems with his other accounts such as Hotmail. Though Google confirmed that the issue was caused by the ISP, I think it is also Google’s responsibility to enforce security measures which will prevent such minor issues outside itself from compromising its users’ accounts.
Fortunately, in this case, the issue was not widespread. If it were, one can only imagine how much damage it can potentially cause.
Sources:
http://www.techtree.com/India/News/Is_Someone_Reading_Your_Gmail_Right_Now/551-87047-643.html
http://www.news.com/8301-10784_3-9875714-7.html?tag=newsmap
Comment by jimg
February 25, 2008 @ 6:18 pm
I can’t help but think “who exchanges embassy keys on gmail” when I read stuff like this.
There seems to be two major problems here. The first is that people should not use web email if you do anything illicit or worth protecting. For instance, one of the inboxes seen this guy is talking about picking up lots of explosives with this guy named paul: http://img165.imageshack.us/img165/930/aslamchaudharigmailcomii0.png
hmmmm
The second issue is bigger: How can ISP configuration allow the wrong accounts to be opened on gmail, forums, and everything else? This seems to point to an issue we don’t talk about as much. We always ask “can we trust google?” when it doesn’t even matter if we can’t trust our ISP’s. They are quite litterally “men the middle” and maliciously or not, this proves they have some serious control over what content we see.
just for further reading, check out the guy’s original post, its pretty awesome to hear him freaking out. The issue then starts affecting them on the forum itself, which is pretty mata-amusing.
http://248am.com/forum/viewtopic.php?t=4736
Comment by Brian
February 25, 2008 @ 7:37 pm
This is why it’s a good idea to use SSL for sensitive things like e-mail (and for the whole session, not just the login process.) That way, if anything gets cached, it’s just encrypted data.
Comment by Jessica
February 25, 2008 @ 10:09 pm
I don’t understand why Gmail doesn’t force users to use the https site. Perhaps, it is just too costly to have enough servers with certificates. Maybe it is because using SSL slows down the performance.
Most users assume that their data is protected when using services such as Gmail. Google has a responsibility to help users understand security risks. From Google’s whitepaper on security:
“Google’s business is built on user trust, and therefore this is one of the keys to continued success of Google as a corporation. All Google employees are instilled with the value of responsibility to the end user. Protecting data is at the core of what Google is all about.” – Google Apps security whitepaper (http://www.google.com/a/help/intl/en/admins/pdf/ds_gsa_apps_whitepaper_0207.pdf)
Despite this commitment, Google fails to tell users that their data is being sent plaintext unless using the https site. I went looking on the Gmail site to see what it would take for a user to learn how to use gmail securely. It took clicking through 6 consecutive links in help pages to find the URL for their https service.
Even though I think that Gmail should try to encourage users to use the SSL version, it turns out that they are better than many other email providers. A lot of email providers do not even have an SSL version. And even with an email service used with SSL, when you send messages, they are not encrypted. I think email is just plain insecure and needs a massive make-over. In fact, the whole Internet needs a make-over. And this time, Internet protocols should be developed with the assumption that there are adversaries out there.