Comments on: A flaw in Google’s G-Mail system allowed anyone access to any mailbox http://www.exploitx.com/151/a-flaw-in-googles-g-mail-system-allowed-anyone-access-to-any-mailbox/ Technology & Security Tips & Guides Mon, 17 Apr 2006 18:56:17 +0000 http://wordpress.org/?v=2.9 hourly 1 By: Peter Holloway http://www.exploitx.com/151/a-flaw-in-googles-g-mail-system-allowed-anyone-access-to-any-mailbox/comment-page-1/#comment-98 Peter Holloway Tue, 21 Feb 2006 22:33:50 +0000 http://www.exploitx.com/151/a-flaw-in-googles-g-mail-system-allowed-anyone-access-to-any-mailbox/#comment-98 I submitted (the above) Dec 3, 2005 comment. Is there any way to get a technical response to this inquiry? Thank you. I submitted (the above) Dec 3, 2005 comment. Is there any way to get a technical response to this inquiry?

Thank you.

]]> By: Peter Holloway http://www.exploitx.com/151/a-flaw-in-googles-g-mail-system-allowed-anyone-access-to-any-mailbox/comment-page-1/#comment-55 Peter Holloway Sat, 24 Dec 2005 06:36:01 +0000 http://www.exploitx.com/151/a-flaw-in-googles-g-mail-system-allowed-anyone-access-to-any-mailbox/#comment-55 I discovered I am a "targeted victim". I noticed something funny about my Gmail Login window, which blinked once and auto-filled the login name with another person's name -- a name I recognize as an employee in the company I work for. When I checked the FORMS tab under Page Info, I found a form that posted a Form Action "https://www.google.com/accounts/ServiceLoginAuth". In this form, there is a hidden continue to "http://www.google.com/gmail?", a hidden mail service, a text Email containing the HR persons first and last names, a Passwd field containing "********" (not the real password), a PersistanCookie checkbox marked "yes" and, finally, a null field that submits on "Sign in". It seems that this employee has exploited the Gmail login vulnerability described above and is likely eavesdropping in on my personal Gmails. Isn't this illegal? Seems like interstate wiretapping to me, or a least a violation of the Communications Act of 1986. Is there any way that the "********" Passwd is detectable? How did this form get into an Info Page on my browser? I understand that the original bug reported above allowed someone to access anyone else's Gmail account before it was corrected. Can this person still be hacking me even now? If so, do you think this person has criminal or civil exposure? Does it help to contact "authorities" or even a lawyer? I want to nail this person! Can you help me? I would really appreciate it. I discovered I am a “targeted victim”. I noticed something funny about my Gmail Login window, which blinked once and auto-filled the login name with another person’s name — a name I recognize as an employee in the company I work for.

When I checked the FORMS tab under Page Info, I found a form that posted a Form Action “https://www.google.com/accounts/ServiceLoginAuth”. In this form, there is a hidden continue to “http://www.google.com/gmail?”, a hidden mail service, a text Email containing the HR persons first and last names, a Passwd field containing “********” (not the real password), a PersistanCookie checkbox marked “yes” and, finally, a null field that submits on “Sign in”.

It seems that this employee has exploited the Gmail login vulnerability described above and is likely eavesdropping in on my personal Gmails.

Isn’t this illegal? Seems like interstate wiretapping to me, or a least a violation of the Communications Act of 1986.

Is there any way that the “********” Passwd is detectable? How did this form get into an Info Page on my browser? I understand that the original bug reported above allowed someone to access anyone else’s Gmail account before it was corrected. Can this person still be hacking me even now? If so, do you think this person has criminal or civil exposure? Does it help to contact “authorities” or even a lawyer?

I want to nail this person!

Can you help me? I would really appreciate it.

]]>