Google Blogoscoped

Forum

Researchers: Beware the IE Cache when using Gmail on public terminal

Juha-Matti Laurio [PersonRank 10]

Wednesday, December 19, 2007
16 years ago3,223 views

The following eWEEK article describes the case:

"If you use Internet Explorer to access Google's Gmail on public terminals, you may be leaving a lot of sensitive information exposed in the browser's cache, according to a warning from Web application security specialist Cenzic.

Cenzic issued an alert for what it argues are vulnerabilities in Gmail and IE that could "severely impact e-mail systems and user privacy." "

Link:
http://www.eweek.com/article2/0,1895,2236192,00.asp

Philipp Lenssen [PersonRank 10]

16 years ago #

Hmm...

<<After a "thorough investigation," Microsoft has dismissed the threat as overblown. "In the scenario in question an attacker would need authenticated access to the system in order to modify files located in the cache. With that level of access, an attacker could install malicious programs that would have more impact than the scenarios described," a Microsoft spokesman said in a statement sent to eWEEK.>>

I think though that accessing anything that requires you to provide your Google Account credentials is ALWAYS risky from an internet cafe.

Wonder if using https would have helped in the scenario described by the researchers by the way?

Tony Ruscoe [PersonRank 10]

16 years ago #

<< Wonder if using https would have helped in the scenario described by the researchers by the way? >>

I could be wrong but I didn't think that IE stores any HTTPS content in its cache, so I guess that would have helped.

Perhaps Gmail should modify their cache control headers – but that would probably affect performance for the majority of us who don't mind things being cached.

Philipp Lenssen [PersonRank 10]

16 years ago #

Is it possible for Google to know how many people log in and out throughout the day from the same browser, e.g. by saving some cookie which stores that information (in a non-personally identifiable way) even when you log-out? Then they could always switch you to https, or do something else more secure, when they think you might be in an internet cafe. Hmm, then again that wouldn't help in the "malicious internet cafe sysadmin" case...

Why don't they always force forward you to https by the way?

Tony Ruscoe [PersonRank 10]

16 years ago #

> Why don't they always force forward you to https by the way?

I assume that's purely for performance issues since nothing would get cached including HTML, XML, JS, CSS, etc. as serving those things via HTTP would alert some users to having a mix of secure in insecure content.

Juha-Matti Laurio [PersonRank 10]

16 years ago #

The following ComputerWorld article gives more technical information from the author of the issue:
"Gmail, Cenzic went on, contributes to the overall vulnerability because its URLs display attachments when viewed using the "View Source" command.

Together, the bugs could conceivably let someone at a public PC hijack any Gmail log-on credentials that had been entered on the machine since the IE cache had last been purged. IE deletes the contents of its cache only as new files are added – the oldest are deleted – or when the user explicitly instructs the browser to clear the cache using the "Delete Browsing History" command."

Link:
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_and_hacking&articleId=9053462&taxonomyId=82&intsrc=kc_top

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!