Possible Severe Gmail Security Vulnerability (Updated)

Posted on June 23, 2008 by Mahmoud Al-Qudsi

Gmail may have a serious security vulnerability that can result in the leaking of sensitive private information randomly to people you don’t know, haven’t contacted, and have nothing to do with.

It would seem that between the way Gmail saves and retrieves sessions, existing sessions are authenticated, and views are cached there are one or more loopholes that allow data from a different account (that has nothing to do with yours) to be served instead of the correct data.

I don’t know why, but here’s the how:

Firefox 3 opened to Gmail on Ubuntu.
Session accidentally reset with ctrl+alt+bkspc
Upon reboot & restarting of Firefox, Firefox requested the URIs that were previously open before the crash, partially loading data from local cache and the rest dynamically from the web (because of the AJAX portions of the Gmail interface).

Continue reading →

Making Gmail a More Welcoming Experience

Posted on May 19, 2008 by NeoSmart Technologies

It used to be that when you opened your Gmail account you would see a bland, blank page with the text “Loading…” in the upper-right corner of the screen, as you waited for your browser to download the Gmail scripts and to make contact with the mail server to download the list of messages and other content that appears on the Gmail “dashboard.”

We’ve long felt that Gmail’s approach was not befitting of the Web 2.0 service with all its sky-blue shades and flashy appearance – and now it seems that Google’s felt that way too.

Here’s the new loading interface… Subtle, simple, and effective:

(Click image to see more changes)

After all, first impressions are everything!