Controversial out of the box when critics accused it of all but sanctioning data mining, Google's Gmail free email service may have another major problem: An Israeli hacker told a magazine here that a major security hole in Gmail gives outsiders full access to user accounts without needing a password.
"Everything could get publicly exposed – your received mails might be readable, as well as all of your sent mail, and furthermore – anyone could send and receive mail under your name," Nir Goldshlagger told Nana NetLife Magazine, but he also said that it isn't known or confirmed yet whether any hacker has actually tried it.
"Even more alarming is the fact that the hack itself is quite simple," he said. "All that is needed of the malicious hacker, beside knowledge of the specific technique, is quite basic computer knowledge, the victim's username – and that’s it, he's inside".
The magazine said Google has acknowledged the security flaw but assured anyone concerned that they're working to resolve the flaw and going "to any length to protect its users."
An unidentified representative at the New York office of email security company MessageLabs said only that the company's main teams in Britain were likely to be working on analyzing the flaw and watching out for any problems from any clients using Gmail.
Nana said its editorial board tested the flaw "many times" after Goldshlagger discovered and revealed it and their tests "had shown an alarming success rate." But the magazine is being very careful not to reveal too much, for fear of further jeopardizing Gmail users' mailboxes.
"[W]e will only disclose that the process is based upon a security breach in the service's identity authentication," the magazine said. "It allows the hacker to 'snatch' the victims cookie file (a file planted in the victim's computer used to identify him) using a seemingly innocent link (which directs to Gmail's site itself). Once stolen, this cookie file allows the hacker to identify himself as the victim, without the need of a password. Even if the victim does change his password afterwards, it will be to no avail."
Goldshlagger said that because the system authenticates a hacker as the victim by way of the stolen cookie file, a password isn't needed to authenticate. "The victim can change his password as many times as he pleases, and it still won't stop the hacker from using his box," he said.
