As you probably have heard, security expert Petko D. Petkov (pdp), founder of GNUCITIZEN, had his GMail account violated and raided.
He told me he did not believe it had been a classic man in the middle attack, as many of us speculated during the past days, and interviewed by Dan Goodin he blamed XSS:

In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-site scripting (XSS) flaw.

Perhaps, but that doesn’t make sense to us. XSS exploits typically allow you to enter restricted parts of a website without the benefit of a password. Whoever broke into Petkov’s account was able to archive an entire email spool into an mbox file. Without knowing his password, the attackers most likely would have had to archive all 2GB message by message.

It makes sense to me, though (even if I still bet on a MITM, since GMail has been secured against cookie leakages side-tracking HTTPS only very recently): if you combine any XSS vulnerability with the very handy automatic password completion offered by modern browsers, stealing credentials becomes absolutely trivial.

However, if Petko is right, a certain comment of his about NoScript, posted under an article about GMail attacks (!) almost one year ago, sounds totally ironic now ;)

7 Responses to “Petko Was Playing With Fire…”

  1. #1 Wladimir Palant says:

    Well, best solution for this kind of problem is still not staying logged in on a site longer than necessary. If you need a web application that is constantly running - that’s what Prism is for. Separate process, separate environment, no interaction with the browser.

  2. #2 Giorgio says:

    @Wladimir:

    Well, best solution for this kind of problem is still not staying logged in on a site longer than necessary

    That, and remembering all your passwords without assistance.
    If your memory isn’t that great and you do use the password manager, I can steal your username and password with no need for you to be logged in (actually, it’s even easier when you’re logged out).
    Regarding Prism, I guess it won’t save you either if the malicious content is served by an iframe or an external script embedded in the web application itself.

  3. #3 Wladimir Palant says:

    Password manager has issues, true. Using an external "password manager" is a better solution so far.

    As to Prism, even in that unlikely situation, with Adblock Plus and the filter "*$third-party" it will do great (yes, Prism isn’t officially supported by Adblock Plus yet, working on that).

  4. #4 Giorgio says:

    @Wladimir Palant:
    As you know well, relying on AdBlock Plus for security purposes is not advisable, especially until bug 431782 gets fixed.
    You don’t want to be rickrolled by bad guys, do you? ;)

  5. #5 Sebastian Tschan says:

    I’d like to throw in that the Secure Login add-on makes Firefox Password Manager somewhat more robust against XSS attacks.

    Regards,
    Sebastian

  6. #6 surfergirl54 says:

    I have one for you. A woman by the name of Sunny Suggs published an E-book about Firefox add-ons specifically NoScript and how internet marketers can get around the security features. As a surfer I detest audio and video starting up without my permission. Suddenly I am not able to stop videos using UTube and some other audio and video, despite the fact that I have these disabled.

    Is there a way around this problem, because so far I have not been able to find a solution to stop the stuff that is heavy on bandwidth - my opinion is: If I want to look at the video then I can press the button, do not supply me with something that auto-starts. It is the auto-start that needs to be stopped. Darn shame because NoScript has been working so well.

  7. #7 Giorgio says:

    @surfergirl:
    I read the e-book by Mrs. Suggs, and it’s quite different than you’re suggesting.
    In facts, it explain web marketer why and how to tell users of their e-commerce sites to “disable” NoScript on their sites, i.e. adding them to their whitelists.

    There’s no technique to “get around the security features” there yet, and I can assure you there’s a lot of people more technically skilled than Mrs. Suggs trying every day :)
    Have you got an actual example of bypass occurring to you?

Bad Behavior has blocked 2949 access attempts in the last 7 days.