374 - Gmail-Bug--Very-Bad

A rather severe-looking flaw in Gmail.

This is pretty bad mainly because it allows an attacker to log into your account indefinitely after the account has been hacked.

Usually you are only at risk until you have changed your password in situations like this. For example, in August a brute-force program called Gmail Hack was released that uses a dictionary attack to work out your password. Once cracked, the attacker can access your account until you change the password. With this new attack, you can change your password as often as you like and the attacker can still access your Gmail account.

Google is said to be working on the problem, hopefully it will be fixed asap.

From a brief look at the description of the problem, it appears to be a kind of cross-domain cookie exploit.

Google sets a cookie on your computer to allow you to by-pass the Gmail login screen. Normally this cookie is set to expire after two weeks. If they can get hold of the cookie, an attacker can modify it to extend the time-limit, allowing them to login to your account for as long as they want.

If it is a cross-domain exploit, it could mean that it doesn’t affect all browser, but I can’t be sure. What it seems you can be sure of is that you have to click a link to allow the attacker to steal your Gmail cookie. The short-term solution, as I see it: set up a bookmark to Gmail and only use that to access the site. Don’t use any other ways to get there, as they could be exploiting this security hole. It would seem this would be an excellent phishing-style exploit…

.:.