Why you should always log out off Gmail
Let me tell you a story. A story of a person who has an Gmail account and a domain registered to his name.That person checks Gmail regularly for new emails and uses the same browser to visit other websites and services as well.
It is convenient to stay signed in as you do not need to type your password or email address anymore when you go back to Gmail to check for new mail. Maybe Gmail is open all the time in another tab for even further comfort.
While on vacation in India the person received some disturbing notifications about his domain from some of his friends. The website was not loading anymore but redirecting all visitors to a new website that seemingly had no connection with the original domain whatsoever.
He investigated the matter and discovered that he was no longer the owner of the domain name which happened to be his name dot com. First he thought that the domain might have expired but soon thereafter he discovered that a Gmail hack had been used to change the owner of the domain name.
It works like this. If you stay logged in at Gmail and visit a prepared website afterwards your Gmail filter list can be altered. In this case all mails from the domain provider was forwarded to another mail account and deleted on Gmail afterwards so that the owner of the account would not receive information about it or stumble upon it on the site.
The new password request was forwarded to the hacker who was then able to initiate the domain transfer at the webhoster.
Since all mails regarding the transfer were immediately redirected and deleted the victim had no idea what was going on. The only possibility would be if he would have logged into the webhosters website and take a look at the tickets that had been created to transfer the domain.
You can read the long version on David Arey's Website. This hole has been fixed apparently but filters that have been set before can still be in place. If you use Gmail you should check your filters asap and make sure that they have not been altered in any way.
Since this is probably not the last security hole you should make sure that you always log off when you are finished.
Another possibility would be to use an email program like Thunderbird instead.
The same goes for accessing accounts on local computer systems. If you need to sign in, you better make sure that the information are not stored by the web browser and that you sign out when you are finished and clear the cache and cookies as well to be on the safe side.
Advertisement
Ghacks – this is a pretty silly article. For starters, you got the title wrong – It should have been “Filters in gmail can screw your life!”. Why wouldn’t anyone logff their email in a cybercafe in India / Thailand or whateva!? Logging off your email is an ettiqutte on the web and anyone who doesn’t is always vulnerable.
a) to those who think this is a hoax, it is not… nor is the problem new, it’s cropped up at least 3 times that i know of and i wrote about it at the beginning of 2007… do a search for csrf and gmail and you should find plenty on it (csrf is cross site request forgery)…
b) logging out of gmail may not be sufficient… google operates a single sign-on system such that if you’re logged into one of their services you’re logged into all of them… if gmail is the only google service you use then logging out of gmail would be sufficient, but if you use other services like google calendar, google docs, google reader, etc – then logging into any one of them will log you back into gmail and expose you to the risk of having your gmail account hijacked…
i’d recommend using GMail’s POP3 or IMAP access via your favorite email client. Personally, i’ve never stayed logged into GMail’s web interface because i don’t like Google cataloging my search history, among other things.
If you must use a web-based reader (I sill prefer a client like Thunderbird), why not use WebRunner/Prism, specifically and exclusively for that particular web app?
boy that David Arey story is a nightmare… hadn’t heard anything about it until now. It’s a tough situation, you want a non domain e-mail contact for registrar’s or domain hosts if you need a contact if your domain/server goes down and you only own one server, but those other options are generally web accessible.
Tchelo I would be very careful with those assumptions. Did you check out this link ? http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
Maybe it’s time for an apology..
I used to be a frequent reader of gHacks.net, but this is too much BS for me to keep reading. Come on! Gmail Filters being hacked?! Yeah, right…
You should really confirm your stories before you post them. Oh please!
Yet another reason to use Thunderbird or Outlook to fetch your emails from Gmail!