Google Account Phishing Vulnerability (View post)Hong Xiaowan | Tuesday, August 7, 2007 17 years ago • 5,720 views |
I only visit trusted site. And use another computer visit new site. |
Haochi | 17 years ago # |
This is so old, I can't believe Google still haven't got that fixed. The keywords are: redirect and escape. :D |
TOMHTML | 17 years ago # |
Just as news I recently read: "hackers can hack your gmail account"... yeah, only if you use a public wifi network and if you don't encrypt the data. Biaised news sucks |
Philipp Lenssen | 17 years ago # |
Uhm, Tom, what is biased about news that tells people of a security issue that needs public wifi as context? I for one was happy to have heard that wifi news because I wasn't aware of this (and contacted the security expert who came up with the hacking tools for it for some reporting, though he didn't respond yet). |
TOMHTML | 17 years ago # |
biased news because of medias which aren't really specialist in technology, so they heard once Gmail has been hacked, so they publish "there is a big flaw in Gmail" and they want to affraid people. "If an hacked did that with an account, every hacker on Earth can/will do that with your account." I don't like that. |
Philipp Lenssen | 17 years ago # |
Ah OK. I read it at BBC I think which had got the details right (I think!)...
What I think makes sense is to point out what someone else can do once they got your Google Account password. Because that scope is just immense. No need to be scared, but it makes sense to be cautious.
I wonder if people here log-in to Google when they're in an internet cafe, on some computer they don't know? |
Rohit Srivastwa | 17 years ago # |
Philipp here is the detailed news with screenshots to describe http://blogs.zdnet.com/Ou/?p=651
TOM is right, its not a gmail vulnerability, its the way media uses to attract the traffic. This thing can be used to steal password/session of any website (gmail included)
In his blog the tool author has mentioned that salesforce is one of the website which is safe from such attacks |
Stephan Locher | 17 years ago # |
What I don't get with all this potential issues: Why is there no log available to me, showing me when I have logged in the last couple of times succesfull? With this simple method you have not more security in the first place but at least you are able to notice that someone has stolen your password, change it on google account and about hundred other sites you use the same password ;-)
btw. does anyone know why http<b>s</b>://mail.google.com redirects to http : //mail.google.com after logging in? |
Philipp Lenssen | 17 years ago # |
Here's an interesting phishing attempt, though this one is very obvious:
http://blogoscoped.com/files/gmail-phishing-2007.png
[Thanks Hanan C.!] |
Rohit Srivastwa | 17 years ago # |
Stephan
I remember that redirection issue you brought. But today when i tried again, its not redirecting me to non-ssl page after logging in. Seems like Google has done this change recently.
|
Veky | 17 years ago # |
> does anyone know why http<b>s</b>://mail.google.com redirects to http : //mail.google.com after logging in?
I think I know (or at least I hope). Because Google doesn't want to create a false sense of security. Your Gmail password is one thing, but the mails themselves are not secure, and cannot be with the current infrastructure. |
Martin Porcheron | 17 years ago # |
> does anyone know why http<b>s</b>://mail.google.com > redirects to http : //mail.google.com after logging in?
It works correctly for me (https -> https) – I'm in the UK. |
Tony | 16 years ago # |
another site which seems like phishing for your google password added spaces so that no one clicks it by mistake
http:// orkutverification.awardspace.com/ orkut.htm |
Haochi | 16 years ago # |
> does anyone know why http*s*://mail.google.com > redirects to http : //mail.google.com after logging in? When you sign in, it's always https, regardless what you typed it. So make sure to change your bookmark to https://mail.google.com (or keep a habit of typing https://)
[Link formatting fixed – Tony] |