[SLL] Gmail Security Hole
Brian Hatch
bri at ifokr.org
Fri Jun 1 18:06:21 PDT 2007
Circa 2007-06-01 08:43 -0700, Jerry Horvath kibitzed:
> My Gmail has been compromised. See the following link.
...
> http://net.nana.co.il/Article/?ArticleID=155025&sid=127
2004 article, results no longer valid.
> Utilized by me is "RoboForm" to maintain track of passwords. You can
> search for this to understand all its capabilities, but simply one
> uses a main password to secure a database of passwords for various
> sites. It has the smarts to gather in User IDs & passwords when you
> sign-up on appropriate web pages. For my sign-up for Google Checkout,
> I have the User ID/pw combo for the account I signed up for with
> "balsac at yahoo.com", but I also have your User ID/pw!!!!
This sounds like you used the computer on which RoboForm is
installed at some point. RoboForm saved the username/password
you typed. That's its job.
> Somehow during the automation, RoboForm captured your sign-in
> creditials for User ID "jerroldhorvath", and tied it to the web page:
> https://www.google.com/accounts/ServiceLoginAuth.
Yep. Your brother even confirms it.
The vulnerability is the person who typed their password
on a shared computer and didn't know it was logging their
actions.
If you change your gmail password and your brother can still
get in, I'll personally take your issue to the google security
folks.
--
Brian Hatch "Whose side are you on?"
Systems and "We are on the side of truth.
Security Engineer Is there another?"
http://www.ifokr.org/bri/
Every message PGP signed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.ssc.com/pipermail/linux-list/attachments/20070601/21a05321/attachment.pgp
More information about the linux-list
mailing list