GoFuckYourself.com - Adult Webmaster Forum

GoFuckYourself.com - Adult Webmaster Forum (https://gfy.com/index.php)
-   Fucking Around & Business Discussion (https://gfy.com/forumdisplay.php?f=26)
-   -   Did the GMail backdoor cause the ePass break-ins? (https://gfy.com/showthread.php?t=794886)

Matt 26z 12-25-2007 10:35 PM
Did the GMail backdoor cause the ePass break-ins?
 
Saw this thread about the guy losing his domain because of Google's security problems with GMail... http://www.gofuckyourself.com/showthread.php?t=794845

I think a possible relation to the ePass hacks deserves it's own thread.

So those of you who had money stolen out of your ePass account, did you at the time have a GMail email address listed at ePass?

If so, prior to October 1st all you had to do was visit the website of a scammer while logged into GMail in another window. The security flaw allowed the scammers to set up your GMail account to forward certain emails to them. Emails such as "i forgot my password" requests.

V_RocKs 12-25-2007 11:05 PM
No.. This dipshit used Internet cafes in India of all places and didn't expect the owners or other clients to install key loggers and other shit.

Matt 26z 12-26-2007 12:01 AM
Quote:
Originally Posted by V_RocKs (Post 13564123)
No.. This dipshit used Internet cafes in India of all places and didn't expect the owners or other clients to install key loggers and other shit.
You did or are you talking about the guy in the original article? Regardless of where he was accessing the internet, there was a confirmed security flaw with Gmail.com that allowed code from a scammer's site to control Gmail functions if you were logged in there.

This is the third major CSRF security flaw at GMail this year alone.

The first was fixed early in the year and allowed your contact list to be seen by anyone:
http://www.cyber-knowledge.net/blog/...ist-hijacking/

Then shortly later more flaws were found that allowed access to all sorts of things:
http://blogoscoped.com/archive/2007-01-12-n73.html

The third known flaw is the one we are discussing now:
http://searchsecurity.techtarget.com...274261,00.html


Considering Google's spotty record on CSRF issues, it seems as if the only protection is to either log out before accessing any other website or just stop using GMail entirely right now for anything serious.

We can only speculate on how safe their system currently is or if these flaws will continue to surface in 2008.

WarChild 12-26-2007 12:07 AM
Damn google has to be really careful, soon Minusonebit will get on them and then they're done for.

TidalWave 12-26-2007 12:09 AM
gmail is new, hotmail and yahoo all had their fair share of exploits

KrisKross 12-26-2007 12:34 AM
The ePass break-ins happened because a traffic seller had an unprotected, unencrypted list of his customer's usernames and passwords on his site.

The link got out and it just so happens that loads of dumbass webmasters used the same username/password combo for the traffic site as they did on ePassporte.


All times are GMT -7. The time now is 09:53 PM.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123