Home Forums Classifieds Blogs Today's Posts Search Social Groups


Glock Talk
Welcome To The Glock Talk Forums.
Thread Tools Display Modes
Old 01-12-2005, 10:53   #1
Senior Member
Toyman's Avatar
Join Date: May 2003
Location: West Michigan
Posts: 3,783
GMail Messages are Vulnerable to Interception

This is bad, really bad.

GMail Messages are Vulnerable to Interception
Mike - A forum post should be like a skirt. Long enough to cover the subject material, but short enough to keep things interesting.
"It's not about the odds, it's about the stakes." - quake
Toyman is offline   Reply With Quote
Old 01-12-2005, 11:01   #2
David_G17's Avatar
Join Date: Oct 2002
Posts: 7,678
oh no! someone's gonna read my spam.
"One handgun a month is too much."
"If you ask me, 12 handguns/year is too much."
"I'd be OK with one gun a year."
"We need the strong gun regs and enforcement Europe has."
-DU debates America's future 10/23/2005
David_G17 is offline   Reply With Quote
Old 01-12-2005, 11:07   #3
David_G17's Avatar
Join Date: Oct 2002
Posts: 7,678
b/c it might get knocked offline...

The HBX Networks
UNIX Community Group

GMail Messages are Vulnerable to Interception

January 12, 2005

The Discovery

It all started about 3 days ago when MrYowler and I were working on a mailing list script to send out a batch of newsletters for a free hacker-friendly shell service we operate. We made the decision to keep it simple; a Perl script based upon the Net::SMTP CPAN module. Being the Perl guru that MrYowler is (shut up! people will start having expectations of me! ;-P), he had one whipped up in about 20 minutes. In the course of testing the script, we cranked out 10 newsletters to our GMail inboxes. We were a little shocked with that happened next.

MrYowler opened up his mailbox, and noticed the email had arrived just fine. He clicked on the subject line, and as expected, the message showed correctly. However, when he clicked the "Show options" link, the "Reply To" field in the email header that GMail displayed contained what appeared to be HTML code! Upon further inspection, we realized that it was the message body of another person's HTML-formatted email message.

The Research

Wondering if something had happened during the message transmission, we viewed the message source via GMail's "Show original" link. In the source, we did not see any of the HTML code that GMail was showing us. No HTML at all, as we did not even use it in our newsletter. It appeared as a regular run-of-the-mill plain text message.

We became curious as to what had gone wrong, and whether it was an error in the script, or in the GMail messaging system. We examined the the output of our Perl script, and discovered that it was not transmitting the "From" header (in the message body) correctly - the trailing ">" character was missing in the address area.

Where it should have been "From:<>", we had "From:<".

This, apparently, was enough to get GMail to provide us with some portion of someone else's messages.

We speculate that there is a subroutine which determines where the "From" address component of a message, ends - and that this subroutine relies upon the closing ">" bracket to distinguish this end. When unable to find this character prior to a carriage return, it simply continues to read past the end of the allocated buffer for this component, until it either encounters this character in whatever data happens to be there, or until some upper buffer size limit is reached. We remain unsure of that buffer size limit, and whether, in fact, one exists.

We propose that the correct solution to this problem, might be to also search for non-displayable data, such as carriage returns, in this area, and to terminate the field on this basis. Alternatively, if the size of the field is determined separately, when allocated; that information could be retained, as a criterion for failure conditions, when the field is parsed.

It is possible that a large buffer area is being allocated, and then being populated only partially. This being the case (if so), then the data that we are seeing is what was left in memory, after the last time that this memory area was returned to the memory manager, and this error does not represent a buffer overflow, but rather, a poorly-managed boundary condition in the GMail server-side software.

Regardless of the specific failure, the result is a compromise of the privacy of communications over GMail. As demonstrated in the examples (below), message content and address information are easily - if somewhat randomly - available to unintended recipients. Usually, this only permits an attacker to examine recently-arrived spam in random user's inboxes - but (as noted in one example) message content does occasionally become more interesting.

The Conclusions

We do realize that GMail is an invitation-only service, in a beta-test state of development. Nevertheless, many people rely upon GMail heavily, and many more people are forced to communicate with GMail users, because of this reliance. These people should expect their communications to be vulnerable to interception, at least until GMail corrects the issue. And the appearance of this issue, at the user level, probably indicates a failure in GMail's code review and/or quality assurance standards, which may result in other, similar errors. We did not explore GMail for additional such errors, but based upon the nature of this one, we are confident that such exploration would bear interesting fruit. (Note to GMail's development teams: we are available for hire! Cheaply! ;-P)

So... If you are a regular GMail user - or someone that corresponds with one - you might want to either rethink the privacy of your communications, or perhaps make some noise with the folks at Google's email service. And don't forget to tell them that MrYowler and I need jobs... ;-P (Note that we are using a GMail address, so any job offers are probably not going to be well-kept secrets... ;-P)

The Evidence

Screen Capture #1
Our Email's Source

In this image you see the source code used for all of our "GMail Bug Test" emails. The plaintext email consists of only the "Subject" and "From" headers. Notice the ">" is missing in the "From" header.

Screen Capture #2
Password Exposure

In this image you see a message containing a URL alongside a login name and password. (Censored for protection of those involved).

Screen Capture #3
Yahoo Group's Message

In this image you see what appears to be a group mailing on the Yahoo! "Egypt Developers" Group. (Names & email addresses censored).

Screen Capture #4
Large Computer Purchase

In this image you see a receipt or quote for an online purchase of computer equipment, totaling $4,767.00.

Screen Capture #5
Jack Rabbit Vibrator Features

This message describes the features of one "Jack Rabbit Vibrator," a 7.5" Multi-Speed toy of sorts.

Screen Capture #6
Medicare Spam

This message appears to be a spam of some kind, advertising diabetic supplies with no paperwork. The email of the intended recipient (in the form of a removal link) has been censored.

Screen Capture #7
Samsung Warning?

This message seems to make a lot of calls to files called "samsung_warning_XX.jpg". We haven't tried to figure out what it is about; but we fell it is probably just a spam.

Screen Capture #8
Email Ridden Spam

This spam message had the intended recipient's email address scattered all though it. We had to censor quite a lot on this one.

Screen Capture #9
Cheap Software Spam

This spamvertisement is advertising cheap software. The intended recipient's email (in the form of a removal link) has been censored.

Screen Capture #10
More Cheap Software Spam

Most likely the same spammer as example #9, but with a different intended recipient. GMail must get a lot of these.


GMail messages are vulnerable to interception. An attacker has only to transmit malformed test messages to himself, and information left over in memory, from previous messages destined for other people, will appear with the test messages, in the attacker's inbox. Sometimes, this information may include usernames and passwords... Do you use GMail? Are you communications private? Should they be? Well, here's what we figured out about the issue, that may or may not help you - or perhaps GMail, if anyone can get ahold of their developers, to tell them about it.

Keywords: Computer Hacker Hacking Security Google Technology Privacy
"One handgun a month is too much."
"If you ask me, 12 handguns/year is too much."
"I'd be OK with one gun a year."
"We need the strong gun regs and enforcement Europe has."
-DU debates America's future 10/23/2005
David_G17 is offline   Reply With Quote
Old 01-14-2005, 14:23   #4
David_G17's Avatar
Join Date: Oct 2002
Posts: 7,678
update: bug fixed in less than an hour after mainstream publication.

take that microsoft!
"One handgun a month is too much."
"If you ask me, 12 handguns/year is too much."
"I'd be OK with one gun a year."
"We need the strong gun regs and enforcement Europe has."
-DU debates America's future 10/23/2005
David_G17 is offline   Reply With Quote
Old 01-15-2005, 12:42   #5
10 Ring Tao
Red White Blue
10 Ring Tao's Avatar
Join Date: Sep 2003
Location: Southeast Michigan
Posts: 7,081
I may not like their politics, but when google does something, its done well.
__________________ ordinance that seeks to reduce the murder rate, by disarming those owners who are not criminals, makes about as much sense as fighting alcoholism by prohibiting beer sales to Mormons.

Visit to help!!-->
10 Ring Tao is offline   Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT -6. The time now is 02:34.

GT Wiki
GT Blogs
Social Groups

Users Currently Online: 778
177 Members
601 Guests

Most users ever online: 2,244
Nov 11, 2013 at 11:42