DonnaB
Premium
join:2003-05-07
malaysia
| GMail 'CheckAvailability' Script May Disclose User
Information to Remote Users
Impact: Disclosure of user information
Exploit Included: Yes
Description: A vulnerability was reported in Google's GMail beta e-mail service. A remote user may be able to determine information about another user attempting to register an account on the system.
Ahmed Motaz reported that a remote user can invoke the '/accounts/CheckAvailability' script repeatedly to cause the system to return information beloging to another user's query. The information disclosed includes the target user's first and last name and the target user's desired GMail account username.
The remote user must have a valid GMail invitation, the report said.
The vendor has reportedly been notified.
Impact: A remote user with a valid GMail invitation can determine information about another user attempting to register an account with the service, including the target user's first and last name and the target user's desired GMail account username.
Solution: No solution was available at the time of this entry.
»www.securitytracker.com/alerts/2···647.html
--
MS MVP-Windows SecurityIf U always expect the worst you will never be disappointed. |
|
Supafly
Premium
join:2000-07-15
Elk Grove, CA | I dunno which is worse, the above or this? |
|
EvilByDesire
Premium
join:2002-09-03
00000
 ·Atlantic Broadband
| said by Supafly  :
I dunno which is worse, the above or this?
HOLY SHIZNIT!!!!!  :o:o:o
--
Either you know how to use MIRC, or you dont, there is no in between |
|
Tablet
Premium
join:2003-01-15
Czech
| reply to Supafly
Re: GMail 'CheckAvailability' Script May Disclose
said by Supafly :
I dunno which is worse, the above or this?
Whow, this is serious indeed. Those spammers out there have a lucky day  |
|
Defcon888
Premium
join:2003-07-22
San Bruno, CA
 ·AT&T Yahoo
·DSL EXTREME
| reply to Supafly
said by Supafly :
I dunno which is worse, the above or this?
my..... god.....
--
00111110 01011111 00111100 00100000 01101111 01011111 01001111 00100000 01011000 01011111 01111000 |
|
KoolMoe
Aw Man
Premium
join:2001-02-14
Annapolis, MD
clubs: | reply to Supafly
Phew, my gmail username doesn't seem to be listed - at least, not any more (or not yet?).
That is pretty lame though, especially that it's lasted. Google being in control of their cache and robot should have this cleaned out immediately.
KM |
|
Supafly
Premium
join:2000-07-15
Elk Grove, CA
| said by KoolMoe :
That is pretty lame though, especially that it's lasted. Google being in control of their cache and robot should have this cleaned out immediately.
I totally agree, I saw that posted in another forum here almost 2 weeks ago, they have yet to clean it out. |
|
B
Premium,MVM
join:2000-10-28
|
Wow. Just in case it gets fixed today, here's my screenshot. Only 480 names though?
-- B
--
In a realm outside causality and function |
|
justin
Australian
join:1999-05-28
Brooklyn, NY | yeah its funny
but its only 480 names.
Not even worth one second of a spammers time. |
|
EvilByDesire
Premium
join:2002-09-03
00000
·Atlantic Broadband
| said by justin :
yeah its funny
but its only 480 names.
Not even worth one second of a spammers time.
Mabey not for a "big time" spammer, but little up and coming spammers can probably make a good profit for sending spam to gmail accounts since they are so popular
--
Either you know how to use MIRC, or you dont, there is no in between |
|
mdshort
join:2004-05-07
Marion, AR | reply to DonnaB
I think he was being sarcastic.  |
|
Chizep
Premium
join:2002-04-07
Concord, NC
| reply to EvilByDesire
Re: GMail 'CheckAvailability' Script May Disclose
said by EvilByDesire :
said by justin :
yeah its funny
but its only 480 names.
Not even worth one second of a spammers time.
Mabey not for a "big time" spammer, but little up and coming spammers can probably make a good profit for sending spam to gmail accounts since they are so popular
Kiddie spammers?  |
|
Qumahlin
Never Enough Time
Premium,MVM
join:2001-10-05
united state
| reply to EvilByDesire
said by EvilByDesire :
said by justin :
yeah its funny
but its only 480 names.
Not even worth one second of a spammers time.
Mabey not for a "big time" spammer, but little up and coming spammers can probably make a good profit for sending spam to gmail accounts since they are so popular
Let them. I have roughly 25 email accounts each for various services and reasons. As a stress test for Gmail and to test it's filtering and separation features I have since set all my email addys to forward a copy of any mail they receive to my Gmail account..
Guess what so far Gmail has yet to let a single spam through to my inbox, whereas the other accounts which the email is coming from even though they use brightmail and other spam elimination tactics have let the spam through...So far my Gmail account has marked every spam perfectly and thrown them in the spam box.
It did have one false positive but it was from a friend who's email name is quite close to something you'd consider spam at a first glance and the message did contain a few phrases that I can see being considered spam. But the resolution was simple I marked the sender as not spam and now all her emails come through just fine.
So if a spammer wants to waste time spamming Gmail let em
--
Forum Posts:5004 |
|
justin
Australian
join:1999-05-28
Brooklyn, NY
Host:
IPv6
Business Connectiv..
Home/Office setup ..
Console/Handheld g..
Console Tech
| I'm not sure that forwarding is a good test of spam filters. Because a forwarded message is distinctly different than a real spam message. It comes from a different place, for a start. Not saying your test doesn't say anything about gmail filters. Just not sure that if it in that test a spam filter let messages through it would let those same messages through if they were aimed at the account in the first place. |
|
CPM
join:2001-08-24
Miami, FL
| reply to justin
Re: GMail 'CheckAvailability' Script May Disclose
it is still not patched. Sometimes having 1st generation things is NOT the best thing to have.
It is not the best to be frist on the block after all:)
--
Broadwayman.com - Internet portal for Everything Broadway and New York. |
|
Ken
Premium,MVM
join:2003-06-16
Brownsburg, IN
| reply to Qumahlin
This was posted awhile back but still good info.
quote:
How long does it take to fill up 1 Gig of storage with spam? How well do Gmail's junk filters work? Let's find out! Spam my shiny new G-mail account at prattboy@gmail.com Give my address to spammers, newsletters, annoying people, whatever, and let's see how long it takes
»gmail.prattboy.net/
--
Visit my homepage:»www.kenmerritt.com |
|
B777300
join:2002-01-02
| reply to Supafly
Re: GMail 'CheckAvailability' Script May Disclose User
said by Supafly :
I dunno which is worse, the above or this?
Holy. |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to DonnaB
Re: GMail 'CheckAvailability' Script May Disclose
This is why gmail is beta when you take part in a beta expect bad things to happen some times realy realy bad. Heres a example for you when i was in the realy early phases of one beta game before it was even in to closed beta i was there in non public beta aka inhouse beta or inhouse alpha. I had to reinstall my os 3 times in less than a weeks time dureing the entire beta i had 6 os reinstalls. This is what betas are all about finding bugs reporting them and getting them fixxed. Betas are not about getting a game os or email account for free.
With that said on things such as gmail you should not put in any information that you would not want public things like real name address and phone number. Id not use gmail for sending any thing you wold consider sensitive information ither.
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
