According to research from INSERT (Information Security Research Team), a recent flaw in the GMail service allows an attacker to turn the service into a Spam blaster, easily bypassing the five hundred address limit on bulk email. The question that many researchers are asking, after INSERT posted to several security lists and ARS Technica picked up the story, is exactly how new is this information?
Another security flaw on Google\'s part or is this just another rehash of what is already known? (IMG:J.Anderson)
INSERT recently published a partial disclosure on the trust among email servers. The notice disclosed that there is a problem with GMail that, “…anyone with no special internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers is able to exploit a single GMail Account in order to be granted nearly unrestricted access to Google’s massive white-listed SMTP relay infrastructure.”
The vulnerability INSERT talks about allows an attacker to bypass the normal black/white lists used by Google and forge all fields in an email message “by having Google’s SMTP servers tricked into functioning as open SMTP relays.” INSERT used their proof-of-concept to bypass the volume limits and use one single GMail account to send over four thousand email messages, these messages often went right to the victims Inbox, due to the automatic allowances granted by some SMTP servers to GMail.
“The experiment consisted of sending spam/forged messages from blacklisted IP addresses (our computers) directly to Hotmail's and Yahoo's MX servers and of sending the same messages using our PoC program (i.e. though GMail’s servers). We were able to confirm that indeed messages sent through GMail’s infrastructure had special treatment by Hotmail and Yahoo. Some messages would not even reach the spam box when sent directly, while when relayed through Google's servers by using our program the messages were promptly delivered directly to the victim's inbox.” – INSERT 5/7/2008 (http://ece.uprm.edu/~andre/insert/gmail.html )
Reading the paper, you are not granted much information, aside from what is already known about the problems faced by Google concerning security on GMail. In truth, the information given by INSERT can be used two ways, to demonstrate a known flaw in GMail that has been discussed before, or to spread FUD.
Google does have a problem, and any network that instantly allows GMail accounts on to their domain simply because it’s Google, has another one. I’m no fan boy of Google, but I am an avid user of several Google services. I like them, but that does not change the fact countless security issues have been discussed over the years that were centered on Google’s operations and practices.
The approach offered by INSERT, if it is something new like a tool or unique spoofing attack, is just another layer to the overall problem. This is by no means a new security threat, or one that should come as a surprise to administrators that have watched the Google issues over the last year or two.
However, as INSERT offers no sample proof of concept, any conclusion, or mitigation, there is no way to tell their research apart from the others previously posted online. The best mitigation is to block GMail, unless your company has to have it for business reasons. If that is the case, strict filtering of GMail by any number of security applications will still limit the spam and backscatter caused by most of the GMail issues.
SomeoneMay 23rd, 2008 - 14:30:52
I'll give that, Google having a security problem is nothing new, but if you're thinking this is FUD you should read INSERT's uncensored report that was released recently.
They also have published their proof of concept program that shows how Gmail can be exploited. This little program simply lets you send an email message in behalf of anyone you choose, and the beauty of it is that Google Servers will deliver the message for you. And if you have a lot of friends, you can use the program to send your prank message to thousands of them... Niiiice. :)
Google always innovating, even when it comes to Spam Tools! :D
Report this comment