Possible Severe Gmail Security Vulnerability (Updated)

Gmail may have a serious security vulnerability that can result in the leaking of sensitive private information randomly to people you don’t know, haven’t contacted, and have nothing to do with.

It would seem that between the way Gmail saves and retrieves sessions, existing sessions are authenticated, and views are cached there are one or more loopholes that allow data from a different account (that has nothing to do with yours) to be served instead of the correct data.

I don’t know why, but here’s the how:

  • Firefox 3 opened to Gmail on Ubuntu.
  • Session accidentally reset with ctrl+alt+bkspc
  • Upon reboot & restarting of Firefox, Firefox requested the URIs that were previously open before the crash, partially loading data from local cache and the rest dynamically from the web (because of the AJAX portions of the Gmail interface).

The result:

  • Gmail loaded up the email account of a user I’d never contacted before, never heard of, and never knew existed.
  • I could see the front page of this user’s inbox, including the people he’d recently contacted, the brief summary of all messages, the total number of messages in the inbox, the number of unread messages in other folders, the dates of all correspondences, and a number of contacts (again, none that I have had contact with) in the sidebar.
  • The number of remaining Gmail invites, the amount of space used, and other status values also reflected this mysterious individual’s account.
  • I couldn’t browse deeper than the main page of the inbox. Emails couldn’t be opened, nothing past the first 50 correspondences could be seen, and I couldn’t switch to another folder.
  • Attempts to do any of the above resulted in Gmail’s “Oops… the system encountered a problem (#102) – Retrying in XXs… <Retry Now>”

Parts of the Gmail interface contained values pertaining to my own account (for instance, the online status indicator) while others referred to this other individual’s account instead.

It’s very bizarre. I don’t know if it can be readily reproduced, but I’d imagine if you forced an exit of Firefox 3 and kept on firing it back up at some point or another you’d see similar behavior. Of course, a deeper analysis of what data Firefox 3 requests from Gmail’s servers verses what’s served from the local session cache may yield further information that could possibly be used to actively take advantage of this data leak.

It seems that Firefox requests a cached session complete with cookies and all from the Gmail URI, which in turn loads the Gmail javascript files that are responsible for retrieving the data associated with a particular email account via AJAX. At this point, either the session key is associated with another account and so Gmail retrieves the information assumming the session to be properly authenticated or else the expired session somehow causes Gmail to get data from elsewhere…

Screenshots of this behavior:

Gmail displaying the other user’s information:

Gmail Security Leak

Searching for this user in my own account yields no results:

Never Before Seen

As we’ve previously mentioned, NeoSmart Technologies is a big proponent of Full Disclosure. We’ve contacted the security department at Google and will post their reply if/when it’s available. We’ve also taken what we feel are the appropriate steps in this case with regards to the screenshots above in terms of what’s been made visible and what’s been blanked out for privacy concerns.


The Google Security Team sent a reply to our inquiry. According to them, this behavior might be caused by broken ISP proxying, pending further investigation. This post will be further updated as soon as new information becomes available.


Google has confirmed that was the result of an ISP caching/proxing problem, and that it’s been known to happen. It seems some ISPs are over zealous in their caching attempts (probably to save some money) – and you can add Cyberia to that list. Much thanks to Chris Evans of the Google Security Team for his feedback on the issue and prompt responses – that’s the way security is supposed to be handled!

14 thoughts on “Possible Severe Gmail Security Vulnerability (Updated)

  1. The title in the 2nd screenshot still hasn’t been obfuscated. =)

    I’ll try to reproduce this on my XP and Ubuntu partitions.

    BTW, I got this error in Firefox 3 while I was trying to use the BBC media player. Do you think it’s just my system?

    “Runtime error!

    Program: D:\Program Files\Mozzila Firefox\Firefox.exe

    An application has made an attempt to load the C runtime incorrectly

    Please contact the application’s support team for more information.”

  2. I’ve had this sort of thing happen with Google News and suspected it was due to ISP caching issues–would be interesting to see if you share an ISP with the other person.


  3. [u]This was sens to me on my hotmailaccount about gmail:[/u]

    Van: ###.andy@gmail.com
    Deze afzender ken je mogelijk niet.Markeren als veilig|Als ongewenst markeren
    Verzonden: zaterdag 28 maart 2009 16:05:07

    The following is an e-mail sent to you by an administrator of”SecuritySite”. If this message is spam, contains abusive or other commentsyou find offensive please contact the webmaster of the board at thefollowing address: ###.andy@gmail.com Include this full e-mail (particularly the headers). Message sent to you follows:~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Geachte leden De eerste fase van onze compleet vernieuwde SecuritySite komt online. Hetzal voor ons allen even wennen zijn maar u zal al snel de voordelen enmogelijkheden leren kennen. U zal vanaf nu ook de mogelijkheid krijgen omzelf foto’s en artikels online te plaatsen en er zal in de toekomst veelmeer info over het beroep van bewakings- en veiligheidsagenten te vindenzijn.Er is ook een heel nieuw forum geïntegreerd in de website met meerspecifieke categoriën die het geheel veel overzichtelijker maken. Dit opverzoek van vele van onze vaste bezoekers. Om van alle mogelijkheden gebruik te kunnen maken dient u wel even opnieuwte registreren met uw reeds gekende gebruikersnaam. Wij hebben dezeregistratie voorlopig erg eenvoudig en snel gemaakt. Wij hopen u dan ook te verwelkomen op onze nieuwe site en hopen dat julliede mogelijkheden voor jullie persoonlijke inbreng appreciëren. Met vriendelijke groeten Andy en Kim — Thanks, The Management

    [b]is this from google or is this a hoax?[/b]

  4. @Boterman Marnix,

    I’m the owner of the website and the also rightfull user of the emailaddress you are referring to. If you received that mail then this is because your emailadres is in our database and that you signed up for that!! The website it comes from is a Dutch forum about private security in belgium and it is just to let the members know that there have been updates on the site. We have only about 400 registerd members and all of them are dutch native speakers. I you are not or did not registerd, then you can ask yourself why your hotmailaddress is registerd in our database in the first place!!!

    @ Mahmoud Al-Qudsi

    It’s defintely NOT spam or a hoax. It’s almost obiviously that you don’t speak Dutch and don’t undertsand what is written in the email.

    Andy Scheveneels

  5. The above e-mail account was taken over by my associate, while I was undergong medical surgery and rehab at the VA hsopital Long Beach, CA

    Holly Bolling without my permisssion changed the pass word and is now using this account for here own perwonql buiness and use. When I was relealsed from the hsopitql I attempted to check the account for my e-mail messages, but was unable to do so.
    We were in the process of setting up Nobel House Global, as a corporation before I was admitted to the VA hspital. I gave her Power of Attorney to act in behalf in case I didn’t survive the operation. This power of atorey canceled upon my release from the hosptital.

    I am in the process of recording Noble House Global at the county court house as my own corporqtion. And I have requeste that Ms. Bolling cease using this account as her own perwonql account and the name of Noble House Global as this was the name I selected and the g mail account was set up for her and I to use as officer of the proposed corporation. Upon finding out she had taken action to change the pass word without my knowledge or permission, I e-mailed her that she was terminated and no longer had permission to use this account or company name. She has informed me that this is her account and will not release it to me, as she is receiving over 1,000 e-mail using the name Nobel House Global.

    Is their any way that the security for g mail cqn remove her access to this account and issue me the exclusive right to use it for my company with my own pass word?

    Your assistance is this matter would be greatly apprecaited. I need to know that this is feassible before proceeding with the recording of the corporation.

    H.C. Austin

  6. I haven’t received any action notice from the security department of GMail, reference to the above mesasge.

    Please advise if any action has been taken with regard to Holly being removed from the use of this account.

    H C Austin

  7. When you are filling out the sign-up form, you can selct either “@live.com” or “hotmail.com”. Select hotmail.com and you’re all set. I just did that not 10 minutes after being rejected (Error message) and the account went straight through!

Leave a Reply

Your email address will not be published. Required fields are marked *