NYCPHP Meetup

NYPHP.org

[nycphp-talk] [OT] Gmail security issue - avoid Froogle for a while?

inforequest 1j0lkq002 at sneakemail.com
Mon Jan 17 14:43:12 EST 2005 

Keith Richardson keithjr-at-gmail.com |nyphp dev/internal group use| wrote:

>hmm link is down... do you have a recap of what it said?
>
>
>On Sat, 15 Jan 2005 01:15:01 -0500, inforequest
><1j0lkq002 at sneakemail.com> wrote:
>  
>
>>Looks like a Froogle link can grab your personal info and access to
>>Google services data...
>>
>>http://www.aviransplace.com/index.php/archives/2005/01/13/serious-flaw-in-froogle-reveals-gmail-accounts/
>>
>>
>>    
>>

I guess that means it is a legitimate threat ;-)

Until they fix it, avoid froogle.

It was an html exploit of a froogle security flaw, such that if you 
browsed Froogle and clicked on a malicious link, it could grab some of 
your google account info from froogle, and then use it to compromise 
other google services via your account data (including gmail).

Typical demonstration of the hazards of central sign on.

-=john andrews

PS: here's a copy from Yahoo's cache:


    1/13/2005


      Serious flaw in Froogle Reveals Gmail Accounts
      <http://www.aviransplace.com/index.php/archives/2005/01/13/serious-flaw-in-froogle-reveals-gmail-accounts/>

Filed under:

    * Security
      <http://www.aviransplace.com/index.php/archives/category/security/>
    * Google
      <http://www.aviransplace.com/index.php/archives/category/google/>

— Aviran Mordo @ 4:24 pm

New security flaw in Google’s price comparison engine, Froogle 
<http://www.froogle.com>, was discovered by an Israeli hacker.

By embedding JavaScript in a URL pointing to Froogle, a hacker can gain 
access to the user’s Gmail <http://www.gmail.com>account. The JavaScript 
redirects the browser to a malicious web site, where the hacker can read 
the user’s cookie, which contains personal information, such as purchase 
history, user name and password for Google <http://www.google.com>services.

According to Nir Goldshlager, who discovered the flaw, even if the user 
chooses not to save the cookie, the hacker can still discover the user’s 
user name and password for other google services such as Google Alerts 
,Google Group because google stores a unique number per user that 
identifies the user is other google services, and the hacker will be 
able to read this identification number.

Source: Ynet (Hebrew) 
<http://www.ynet.co.il/articles/0,7340,L-3031962,00.html>


    5 Comments »
    <http://www.aviransplace.com/index.php/archives/2005/01/13/serious-flaw-in-froogle-reveals-gmail-accounts/#postcomment>


The URI to TrackBack this entry is: 
/http://www.aviransplace.com/index.php/archives/2005/01/13/serious-flaw-in-froogle-reveals-gmail-accounts/trackback//

   1.

      *Froogle security hole gives out Gmail account details*

      By embedding JavaScript in a URL pointing to Froogle, a hacker can
      gain access to the user’s Gmail account. The JavaScript redirects
      the browser to a malicious web site, where the hacker can read the
      user’s cookie, which contains perso

      Trackback by Threadwatch.org
      <http://www.threadwatch.org/node/1097> — 1/14/2005 @ 11:50 am
      <http://www.aviransplace.com/index.php/archives/2005/01/13/serious-flaw-in-froogle-reveals-gmail-accounts/#comment-127>


   2.

      *Froogle Security Alert*
      Aviran Mordo is reporting a Serious flaw in Froogle Reveals Gmail
      Accounts. “By embedding JavaScript in a URL pointing to Froogle, a
      hacker can gain access to the user’s Gmail account. The JavaScript
      redirects the browser to a malicious web…

      Trackback by Organized Shopping Blog
      <http://www.organizedshopping.com/blog/archives/000824.html> —
      1/14/2005 @ 12:52 pm
      <http://www.aviransplace.com/index.php/archives/2005/01/13/serious-flaw-in-froogle-reveals-gmail-accounts/#comment-128>


   3.

      *Froogle flaw shows Gmail details*
      A security flaw in Google’s popular e-commerce application,
      Froogle, has been reported, in which hackers can harvest Gmail
      account details. Discovered by Israeli hacker Nir Goldshlager, and
      reported by Aviran Mordo in Serious flaw in Froogle Reveals G…

      Trackback by Platinax Internet News
      <http://www.platinax.co.uk/news/archives/2005/01/froogle_flaw_sh.html>
      — 1/15/2005 @ 5:08 am
      <http://www.aviransplace.com/index.php/archives/2005/01/13/serious-flaw-in-froogle-reveals-gmail-accounts/#comment-129>


   4.

      *Serious flaw in Froogle Reveals Gmail Accounts*

      Trackback by Donna\’s SecurityFlash
      <http://msmvps.com/donna/archive/2005/01/16/32334.aspx> —
      1/15/2005 @ 12:00 pm
      <http://www.aviransplace.com/index.php/archives/2005/01/13/serious-flaw-in-froogle-reveals-gmail-accounts/#comment-130>


   5.

      *Gmail is in the sights*

      Trackback by Rod Trent at myITforum.com
      <http://myitforum.techtarget.com/blog/rtrent/archive/2005/01/15/1971.aspx>
      — 1/15/2005 @ 3:04 pm
      <http://www.aviransplace.com/index.php/archives/2005/01/13/serious-flaw-in-froogle-reveals-gmail-accounts/#comment-132>

More information about the talk mailing list