Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.security > #11

SERIOUS VULNERABILITY IN GMAIL

Show all headers | View raw

The Full post is discussed in DEFEND HACKERS Blog

http://defendhackers.blogspot.com/2011/04/serious-vulnerability-in-gmail-still.html


 I really Don kno wen the big guys gonnna listen to those such bugs
(Hackersbay.in == h4ckolic) already Reported a serious bug in Facebook
API, Still no response and (Amarjit.info==> Amarajit singh has also
reported about iframe Bug In Google , Still the ..same) And As We all
kno the FAMOUS Bug in Google that is Gmail Accepts the dots in between
the username Still no answer for the same, And Up Again GMAIL Has
exposed with new Bug that we gonnna talk about..

Gmail is NUMBER one of the major webmail service provider across the
globe. But as we all know Gmail still carries that 4 letter word
[""BETA""]. Sometimes we may wonder, why Gmail is still in the testing
stage even after years of it’s emergence. Here is one small reason for
that.(In tha middle i guess Each Org like Facebook , Yahoo , Google ,
Have to listen actively to the Feedback Dept..Coz They cant hire lobby
testers to test each tiers, Instead They can Look at the Bugs Reported
by tha Patriotic Hackers Or Security Proffessionals)

Gmail follows a strict rule that doesn’t allow it’s users to have
their first or the last name contain the term Gmail or Google. That
is, while signing up for a new Gmail account the users cannot choose a
first or last name that contains the term Gmail or Google. You can see
this from the below snapshot.

Google or Gmail cannot be used as first or last name



This rule is implemented by Gmail for obvious reasons, because if the
users are allowed to keep their first or the last name that contains
the term Gmail or Google, then it is possible to easily impersonate
the identity of Gmail (or Gmail Team) and engage themselves in phising
or social engineering attacks on the innocent users. This can be done
by simply choosing the first and last name with the following
combinations.

First Name    Last Name

Gmail                Team

Google             Team

Gmail               Password Assistance

From the above snapshot we can see that, Gmail has made a good move in
stopping the users from abusing it’s services. However this move isn’t
just enough to prevent the malicious users from impersonating the
Gmail’s identity. Because Gmail has a small vulnerability that can be
exploited so that the users can still have their name contain the
terms Gmail or Google. You may wonder how to do this. But it’s very
simple.

1. Login to your Gmail account and click on Settings.

2. Select Accounts tab

3. Click on edit info

4. In the Name field, select the second radio button and enter the
name of your choice. Click on Save Changes and you’re done!

Now, Gmail accepts any name even if it contains the term Google or
Gmail. You can see from the below snapshot


gmailhack



Allowing the users to have their names contain the terms Gmail or
Google is a serious vulnerability even though it doesn’t seem to be a
major one. This is because a hacker or a malicious attacker can easily
exploit this flaw and send phishing emails to other Gmail users asking
for sensitive information such as their passwords. Most of the users
don’t even hesitate to send their passwords since they believe that
they are sending it to Gmail Team (or someone authorized). But in
reality they are sending it to an attacker who uses these information
to seek personal benefits.

So the bottomline is, if you get any emails that appears to have come
from the Gmail Team or similar, don’t trust them! Anyone can send such
emails to fool you and take away your personal details. Hope that
Gmail will fix this vulnerability as soon as possible to avoid any
disasters.


Anyway they Not gonnna listen..Frigggin up

Back to comp.os.linux.security | Previous | Next | Find similar

Thread

SERIOUS VULNERABILITY IN GMAIL hackfreak <suren.click@gmail.com> - 2011-04-17 09:44 -0700

csiph-web