Let me narrate a story to you. A story of someone who has an Gmail account and a domain registered to his name. This someone checks his Gmail account regularly and visits other sites afterwards. It is so convenient to stay logged in at Gmail in case you want to check again. Maybe Gmail is open all the time in another tab for even further comfort.
While on vacation in India this someone received some very disturbing news from some of his friends telling him that something was wrong with the domain that he was owning. It was not loading his website anymore but redirecting to another website he never heard of before.
He investigated the matter and discovered, that he was no longer the owner of the domain name which happens to be his name dot com. First he thought that the domain might have expired but soon thereafter he discovered that a Gmail hack had been used to change the owner of the domain name.
It works like this. If you stay logged in at Gmail and visit a prepared website afterwards your Gmail filter list can be altered. In this case all mail from the domain provider was forwarded to another mail account and deleted at Gmail. The new password request was forwarded to the hacker who was then able to initiate the domain transfer at the webhoster.
Since all mails regarding the transfer were immediately redirected and deleted the victim had no idea on what was going on. The only possibility would be if he would have logged into the webhosters website and take a look at the tickets that had been created to transfer the domain.
You can read the long version on David Arey’s Website. This hole has been fixed apparently but filters that have been set before can still be in place. If you use Gmail you should check your filters asap and make sure that they have not been altered in any way.
Since this is probably not the last security hole you should make sure that you always log off when you are finished. Another possibility would be to use an email program like Thunderbird instead.
Related posts:
New Google Mail Security Vulnerability EmergesGmail Sign In
Gmail Website Down ? Get your mails anyway
Back Up Your Gmail
Gmail Xp
9 Responses to “Why you should always log off Gmail”
Trackbacks/Pingbacks
-
[...] 原文链接。 [...]
Yet another reason to use Thunderbird or Outlook to fetch your emails from Gmail!
I used to be a frequent reader of gHacks.net, but this is too much BS for me to keep reading. Come on! Gmail Filters being hacked?! Yeah, right…
You should really confirm your stories before you post them. Oh please!
Tchelo I would be very careful with those assumptions. Did you check out this link ? http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
Maybe it’s time for an apology..
boy that David Arey story is a nightmare… hadn’t heard anything about it until now. It’s a tough situation, you want a non domain e-mail contact for registrar’s or domain hosts if you need a contact if your domain/server goes down and you only own one server, but those other options are generally web accessible.
If you must use a web-based reader (I sill prefer a client like Thunderbird), why not use WebRunner/Prism, specifically and exclusively for that particular web app?
i’d recommend using GMail’s POP3 or IMAP access via your favorite email client. Personally, i’ve never stayed logged into GMail’s web interface because i don’t like Google cataloging my search history, among other things.
a) to those who think this is a hoax, it is not… nor is the problem new, it’s cropped up at least 3 times that i know of and i wrote about it at the beginning of 2007… do a search for csrf and gmail and you should find plenty on it (csrf is cross site request forgery)…
b) logging out of gmail may not be sufficient… google operates a single sign-on system such that if you’re logged into one of their services you’re logged into all of them… if gmail is the only google service you use then logging out of gmail would be sufficient, but if you use other services like google calendar, google docs, google reader, etc – then logging into any one of them will log you back into gmail and expose you to the risk of having your gmail account hijacked…
Ghacks – this is a pretty silly article. For starters, you got the title wrong – It should have been “Filters in gmail can screw your life!”. Why wouldn’t anyone logff their email in a cybercafe in India / Thailand or whateva!? Logging off your email is an ettiqutte on the web and anyone who doesn’t is always vulnerable.