Archive for August 14th, 2008

As you probably have heard, security expert Petko D. Petkov (pdp), founder of GNUCITIZEN, had his GMail account violated and raided.
He told me he did not believe it had been a classic man in the middle attack, as many of us speculated during the past days, and interviewed by Dan Goodin he blamed XSS:

In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-site scripting (XSS) flaw.

Perhaps, but that doesn't make sense to us. XSS exploits typically allow you to enter restricted parts of a website without the benefit of a password. Whoever broke into Petkov's account was able to archive an entire email spool into an mbox file. Without knowing his password, the attackers most likely would have had to archive all 2GB message by message.

It makes sense to me, though (even if I still bet on a MITM, since GMail has been secured against cookie leakages side-tracking HTTPS only very recently): if you combine any XSS vulnerability with the very handy automatic password completion offered by modern browsers, stealing credentials becomes absolutely trivial.

However, if Petko is right, a certain comment of his about NoScript, posted under an article about GMail attacks (!) almost one year ago, sounds totally ironic now ;)

Bad Behavior has blocked 931 access attempts in the last 7 days.