Please support our Tech Talk advertiser:
Featured Entry 
May 11th, 2008, 7:53 pm
A report entitled "Exploiting the Trust Hierarchy among Email Servers" published by Pablo Ximenes from the University of PR at Mayaguez, USA and Andre dos Santos at the State University of Ceara, Brazil suggests that Google Mail is flawed in such a way so as to turn it into massive spam machine.
The report says that the researchers have uncovered a flaw in Google's free email service, Gmail, and that it "presents a vulnerability report and a proof of concept attack that demonstrate how anyone with no special internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers is able to exploit a single Gmail Account in order to be granted nearly unrestricted access to Google’s massive white-listed SMTP relay infrastructure."
If true, this vulnerability would enable an attacker to bypass both blacklist and whitelist filtering as well as easily forge all the fields within a message, in effect tricking the Google SMTP servers into functioning as an open relay.
Ximenes and dos Santos say "we were able to confirm that this vulnerability is indeed exploitable by assembling a proof of concept (PoC) attack that allowed us to use one single Gmail account to send bulk messages to more than 4,000 email targets (which surpasses Gmail’s 500 messages limit for bulk messages). Although we have limited the number of messages in our example to 4,000+, no counter measures took place that would have prevented us from sending more messages, and for that matter sending an unlimited number of messages. Additionally, we were able to use this vulnerability to forward messages that originally were classified as spam directly to a victim's inbox effectively bypassing filters. The attack specifically exploits Gmail’s email forwarding functionality. This is possible because no restriction or verification is imposed during the setup process of this option. We were able to write a program that automatically exploits this flaw in a compromised Gmail account to send bulk and forged messages to an unlimited number of email addresses while preserving all of the message’s original fields (legitimate or forged) unaltered, including sender's identity data (From: field). Since attack messages are carried by Google's own SMTP servers, the blacklist/whitelist based trust hierarchy that exists between Google’s and other Third Parties’ email servers is compromised, effectively converting Gmail’s servers into the perfect spam/phishing aid. With this flaw, spammers need only to exploit one Gmail account in order to obtain results similar to those of a botnet based spam. To our best knowledge this is the first public description of this vulnerability and also the first proof of concept attack. Google has already been notified about this issue ad we are waiting their position to release further details."
The report says that the researchers have uncovered a flaw in Google's free email service, Gmail, and that it "presents a vulnerability report and a proof of concept attack that demonstrate how anyone with no special internet access privileges other than being able to connect to SMTP (TCP port 25) and HTTP (TCP port 80) servers is able to exploit a single Gmail Account in order to be granted nearly unrestricted access to Google’s massive white-listed SMTP relay infrastructure."
If true, this vulnerability would enable an attacker to bypass both blacklist and whitelist filtering as well as easily forge all the fields within a message, in effect tricking the Google SMTP servers into functioning as an open relay.
Ximenes and dos Santos say "we were able to confirm that this vulnerability is indeed exploitable by assembling a proof of concept (PoC) attack that allowed us to use one single Gmail account to send bulk messages to more than 4,000 email targets (which surpasses Gmail’s 500 messages limit for bulk messages). Although we have limited the number of messages in our example to 4,000+, no counter measures took place that would have prevented us from sending more messages, and for that matter sending an unlimited number of messages. Additionally, we were able to use this vulnerability to forward messages that originally were classified as spam directly to a victim's inbox effectively bypassing filters. The attack specifically exploits Gmail’s email forwarding functionality. This is possible because no restriction or verification is imposed during the setup process of this option. We were able to write a program that automatically exploits this flaw in a compromised Gmail account to send bulk and forged messages to an unlimited number of email addresses while preserving all of the message’s original fields (legitimate or forged) unaltered, including sender's identity data (From: field). Since attack messages are carried by Google's own SMTP servers, the blacklist/whitelist based trust hierarchy that exists between Google’s and other Third Parties’ email servers is compromised, effectively converting Gmail’s servers into the perfect spam/phishing aid. With this flaw, spammers need only to exploit one Gmail account in order to obtain results similar to those of a botnet based spam. To our best knowledge this is the first public description of this vulnerability and also the first proof of concept attack. Google has already been notified about this issue ad we are waiting their position to release further details."
This blog entry was written by Davey Winder, staff writer aka happygeek. It has received 705 views, 0 comments, and 12 linkbacks. 2 voters have rated this entry an average of 5 out of 5 stars. It was promoted to featured status May 11th, 2008.
•
•
•
•
advertising apple botnet browser business crime data development email europe facebook firefox forensic gaming google hacking hardware help ibm internet iphone ipod law legal linux malware marketing microsoft mobile mozilla news phishing privacy research search security social networking software spam survey technology trojan uk video virus vista web windows yahoo youtube
All Recent Tags Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Tech Talk Marketplace
Related Blog Entries
- UK ISPs agree to throttle illegal music file-sharers (3 Hours Ago)
- Intel To Focus on Devices, Again (9 Hours Ago)
- WikiGoogle or GooglePedia? Nope, it is Knol actually. (15 Hours Ago)
- 5-4-3-2-1 your website in infected (1 Day Ago)
- Botnets boost click-fraud rate (1 Day Ago)
- Apple ships 2.5 million Macs, sells 11 million iPods and 717,000 iPhones in just 3 months (2 Days Ago)
- Limbo 2 Trojan comes complete with guarantee of invisibility (3 Days Ago)
- More Dark Spots on Apple's MobileMe Migration (3 Days Ago)
- Power-Sipping PC Runs Linux (3 Days Ago)
- Fake UPS invoices deliver Pushdo botnet package (4 Days Ago)
