|
List Info
Thread: Serious GMAIL Vulnerability - Closing Browser does not end session in some cases
|
|
| Serious GMAIL Vulnerability - Closing
Browser does not end session in some
cases |
|
2006-04-23 21:22:39 |
I'm not sure if there has been and information published
regarding this
issue, so here its:
If you're signed in to your Google Accounts,
google.com/accounts, and
then close the browser (I've tried Explorer 6.0, 7.0 and
Firefox 1.5,
all worked) then launch the browser again to point to
gmail.com, your
Gmail account is there for the taking. Worked 6 out of 6
tries.
This does NOT work if you're just signed in to Gmail, only
on Google
Accounts.
This is serious, because any one checking their gmail in a
public
place, like an internet cafe, thinking that session ends
when you close
the browser (it should) is in for a surprise. If the next
user launches
the browser pointed to gmail.com he will have full access to
your
account.
Any observations?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "Gmail-Users" group.
List Rules: gmail-users.listrules gmusers.com
To post to this group, send email to Gmail-Usersgooglegroups.com
To unsubscribe from this group, send email to
Gmail-Users-unsubscribegooglegroups.com
For more options, visit this group at http://gro
ups.google.com/group/Gmail-Users
-~----------~----~----~----~------~----~------~--~---
|
|
| Serious GMAIL Vulnerability - Closing
Browser does not end session in some
cases |
|
2006-04-24 11:24:30 |
|
The google account is never closed when quitting a browser, probably because the cookie doesn't expire.
It's not a bug, it's very nice 'cause you have not to re-login in each time you launch your browser (For example, I have Gmail as a shortcut and my firefox start page is the customized google)
If you are in a public place, manually close your session. If you are in front of your personnal computer, there's no need to close it.
2006/4/23, Cunning Linguist <gmail.com">
fastreplygmail.com>:
I'm not sure if there has been and information published regarding this
issue, so here its:
If you're signed in to your Google Accounts, google.com/accounts, and
then close the browser (I've tried Explorer 6.0, 7.0 and Firefox 1.5,
all worked) then launch the browser again to point to
gmail.com, your
Gmail account is there for the taking. Worked 6 out of 6 tries.
This does NOT work if you're just signed in to Gmail, only on Google
Accounts.
This is serious, because any one checking their gmail in a public
place, like an internet cafe, thinking that session ends when you close
the browser (it should) is in for a surprise. If the next user launches
the browser pointed to gmail.com he will have full access to your
account.
Any observations?
http://asphyx0r.deviantart.com
http://www.coolminiornot.com/browse/submitter/asphyx
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d-- s+:++ a-- C++++ UL++ P++ L++ E---- W++ N+++ o-- K---- w++
O- M+ V-- PS+++ PE++ Y+ PGP+ t+ 5+ X+++ R+++ tv+ b+ DI- D++
G e+ h! r++ y*
------END GEEK CODE BLOCK------
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Gmail-Users" group.
List Rules: gmail-users.listrulesgmusers.com
To post to this group, send email to Gmail-Usersgooglegroups.com
To unsubscribe from this group, send email to Gmail-Users-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/Gmail-Users
-~----------~----~----~----~------~----~------~--~---
|
| Serious GMAIL Vulnerability - Closing
Browser does not end session in some
cases |
|
2006-04-24 22:21:08 |
|
If you are on a public computer, you should ALWAYS click sign out, log off, etc. when you leave a website that requires a password whether it does it automatically when you close the browser or not. It's actually common sense that you should sign out before you leave public computers.
On 4/24/06, asphyx <gmail.com">asphyx0rgmail.com> wrote:
The google account is never closed when quitting a browser, probably because the cookie doesn't expire. It 's not a bug, it's very nice 'cause you have not to re-login in each time you launch your browser (For example, I have Gmail as a shortcut and my firefox start page is the customized google)
If you are in a public place, manually close your session. If you are in front of your personnal computer, there's no need to close it.
I'm not sure if there has been and information published regarding this
issue, so here its:
If you're signed in to your Google Accounts, google.com/accounts, and
then close the browser (I've tried Explorer
6.0, 7.0 and Firefox 1.5,
all worked) then launch the browser again to point to
gmail.com, your
Gmail account is there for the taking. Worked 6 out of 6 tries.
This does NOT work if you're just signed in to Gmail, only on Google
Accounts.
This is serious, because any one checking their gmail in a public
place, like an internet cafe, thinking that session ends when you close
the browser (it should) is in for a surprise. If the next user launches
the browser pointed to
gmail.com he will have full access to your
account.
Any observations?
--
nickman55.googlepages.com
-----
Fight back spam! Download the Blue Frog.
http://www.bluesecurity.com/register/s?user=bmlja21hbjU1
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Gmail-Users" group.
List Rules: gmail-users.listrulesgmusers.com
To post to this group, send email to Gmail-Usersgooglegroups.com
To unsubscribe from this group, send email to Gmail-Users-unsubscribegooglegroups.com
For more options, visit this group at http://groups.google.com/group/Gmail-Users
-~----------~----~----~----~------~----~------~--~---
|
[1-3]
|
|