Why you should always log off Gmail

Posted by Martin in Email, Security  Tags: , ,

27

Dec



Let me narrate a story to you. A story of someone who has an Gmail account and a domain registered to his name. This someone checks his Gmail account regularly and visits other sites afterwards. It is so convenient to stay logged in at Gmail in case you want to check again. Maybe Gmail is open all the time in another tab for even further comfort.

While on vacation in India this someone received some very disturbing news from some of his friends telling him that something was wrong with the domain that he was owning. It was not loading his website anymore but redirecting to another website he never heard of before.

He investigated the matter and discovered, that he was no longer the owner of the domain name which happens to be his name dot com. First he thought that the domain might have expired but soon thereafter he discovered that a Gmail hack had been used to change the owner of the domain name.

It works like this. If you stay logged in at Gmail and visit a prepared website afterwards your Gmail filter list can be altered. In this case all mail from the domain provider was forwarded to another mail account and deleted at Gmail. The new password request was forwarded to the hacker who was then able to initiate the domain transfer at the webhoster.

Since all mails regarding the transfer were immediately redirected and deleted the victim had no idea on what was going on. The only possibility would be if he would have logged into the webhosters website and take a look at the tickets that had been created to transfer the domain.

You can read the long version on David Arey’s Website. This hole has been fixed apparently but filters that have been set before can still be in place. If you use Gmail you should check your filters asap and make sure that they have not been altered in any way.

Since this is probably not the last security hole you should make sure that you always log off when you are finished. Another possibility would be to use an email program like Thunderbird instead.


Like such posts? Get updates via RSS NEWS FEED. Love Ghacks? Find out how you can help!

Spread The Article: Digg del.icio.us StumbleUpon Reddit Facebook Slashdot TwitThis YahooMyWeb Fark Mixx NewsVine

9 Users Commented In This Post

Subscribe To This Post Comment Rss Or TrackBack URL
Thilak says, December 27th, 2007   

Yet another reason to use Thunderbird or Outlook to fetch your emails from Gmail!

Tchelo says, December 27th, 2007   

I used to be a frequent reader of gHacks.net, but this is too much BS for me to keep reading. Come on! Gmail Filters being hacked?! Yeah, right…
You should really confirm your stories before you post them. Oh please!

Martin says, December 27th, 2007   

Tchelo I would be very careful with those assumptions. Did you check out this link ? http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/

Maybe it’s time for an apology..

JC says, December 27th, 2007   

boy that David Arey story is a nightmare… hadn’t heard anything about it until now. It’s a tough situation, you want a non domain e-mail contact for registrar’s or domain hosts if you need a contact if your domain/server goes down and you only own one server, but those other options are generally web accessible.

Ace_NoOne says, December 27th, 2007   

If you must use a web-based reader (I sill prefer a client like Thunderbird), why not use WebRunner/Prism, specifically and exclusively for that particular web app?

Rico says, December 27th, 2007   

i’d recommend using GMail’s POP3 or IMAP access via your favorite email client. Personally, i’ve never stayed logged into GMail’s web interface because i don’t like Google cataloging my search history, among other things.

kurt wismer says, December 28th, 2007   

a) to those who think this is a hoax, it is not… nor is the problem new, it’s cropped up at least 3 times that i know of and i wrote about it at the beginning of 2007… do a search for csrf and gmail and you should find plenty on it (csrf is cross site request forgery)…
b) logging out of gmail may not be sufficient… google operates a single sign-on system such that if you’re logged into one of their services you’re logged into all of them… if gmail is the only google service you use then logging out of gmail would be sufficient, but if you use other services like google calendar, google docs, google reader, etc - then logging into any one of them will log you back into gmail and expose you to the risk of having your gmail account hijacked…

从Gmail漏洞到一个网站被窃取的故事 » Ghacks CN says, December 30th, 2007   

[...] 原文链接。 [...]

Jay says, March 17th, 2008   

Ghacks - this is a pretty silly article. For starters, you got the title wrong - It should have been “Filters in gmail can screw your life!”. Why wouldn’t anyone logff their email in a cybercafe in India / Thailand or whateva!? Logging off your email is an ettiqutte on the web and anyone who doesn’t is always vulnerable.

Leave Your Comments Below
Hello, please leave your thought below

Please Note: Each comment will be manually approved by an admin. There is no guarantee that a comment will be posted. Please do not submit the comment multiple times.