Gmail Down Will Twitter Be Next

By now I'm sure you all know that Gmail has experienced a major outage, information that has been confirmed by Google’s Apps Status Dashboard, but what you might not know is that the added strain of the outage and the sheer volume of Tweets about it might led to a major interruption of services over at Twitter.

Via Google Apps Dashboard: 1:02 PM
We are continuing to investigate this issue. We will provide an update by September 1, 2009 2:16:00 PM UTC-7 detailing when we expect to resolve the problem.
Users can access their email via IMAP or POP. You can find instructions for how to do this here.

TechCrunch's MG Siegler reports, " When I first noticed it being down [gmail], I did a Twitter search and just minutes later there were over 10,000 new results. A couple minutes later, there were over 20,000."

For now it looks like Twitter is standing strong, with no fail-whale insight so Tweeters might be safe, at least for the time being. The only issues I've seen on our account today is a lack of a trending topics list, however it looks like everything else is working properly. Often times when there is a major interruption of service somewhere else on the web sites like Facebook and Twitter are adversely affected by a sudden large influx of traffic. The sudden rush of hits creates an overburden on serves which become strained and often times fail.

Doing a quick search for Gmail currently shows a glimmer of hope with many users reporting Gmail is back in service. Checking my personal email I can confirm it appears as though Gmail is back up and working again, at least for me. But looking at the Google Apps Status page it might be temporary as it was just updated with the following information:

2:13 PM

We are continuing to investigate this issue. We will provide an update by September 1, 2009 3:13:00 PM UTC-7 detailing when we expect to resolve the problem.

Users can access their email via IMAP or POP. You can find instructions for how to do this here.

Also, at this time, Google Apps Sync for Microsoft Outlook (applies only to Google Apps Premier and Edu customers) is not available.

Follow-Up: Phishing To Blame For GMail Exploits Not CSRF

Following up on our recent post, New GMail Exploit Or Old Cross-Site Scripting Vulnerability, Google has determined that the reported hijacking was a case of good old fashioned phishing and there is "no evidence of a GMail vulnerability".

Google responded today to the claims that the hijacked websites were due to an old CSRF vulnerability. Chris Evans writes, "With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information...Once attackers gained the user credentials, they were free to modify the affected accounts as they desired. In this case, the attacker set up mail filters specifically designed to forward messages from web domain providers."

Google says the domain theft linked to David Airey' site back in 2007 has been "incorrectly linked to a GMail CSRF vulnerability." There is no mention of the recent hijackings detailed in our previous post, but as mentioned in that post there was never any solid evidence that it was a CSRF exploit. In fact my original assement of the MakeUsOf hijacking was that the were victums of phishing.

One thing still nags at me about this though, if someone had phished these accounts then there would be no reason to setup filters. If you have full access to someones page (ie. log-in and password) then you wouldn't need to forward the emails out. You could change the password, locking out the user, and then have the emails sent directly to that account that you'd now control.

The only benefit from setting up the forwarding filters would be long term acess to the account. An attacker could essentially collect information undetected for weeks even months, or more. If the attackers took control and locked the user out they might be detected within a few mins. or hrs.

To keep your Google account secure online, Google recommends you only ever enter your Gmail sign-in credentials to web addresses starting with https://www.google.com/accounts, and never click-through any warnings your browser may raise about certificates. For more information on how to stay safe from phishing attacks, see Google's blog post here.

**Update**

I contacted Aibek at MakeUsOf.com today and he has stated he has not been contacted by Google in relation to this matter and that "I also talked to both Florin [Cucirca.com] and Edin [YuMP3.org] and only one of them was contacted by Google."

I've put an inquiry in to Chris Evans at the Google Online Security Blog and we are currently waiting follow-up. So check back for further details.

New GMail Exploit Or Old Cross-Site Scripting Vulnerability

Earlier this month MakeUseOf.com’s domain was stolen right out from underneath them, it was hijacked and moved to another registrar. On Friday they provided us with the details of how they think the would be thief took control of their domain and moved it to another host.

In their post titled "BREAKING: New Gmail Security Flaw. More Domains Get Stolen!", MakeUseOf.com said they suspect that the hacker used some hole in GMail to create filters which forwarded crucial emails to the thieves. Which then allowed them to access to their GoDaddy account (among other things) and move the domains.

In what appears to be two completely separate incidents, both Cucirca.com and YouMP3.org were hit by the same thief in the same exact manner. The owners of each site contacted MakeUseOf.com and confirmed that similar filters had been placed in their GMail accounts and their domains had been transferred. The details provided were identical down to the thief's email address.

The attacks don't seem to be the first however, in fact MakUseOf points out that the same thing happened to David Airey last year.

WARNING: Google’s GMail security failure leaves my business sabotaged
Collective effort restores David Airey.com

Last year a serious cross-site request forgery (CSRF) vulnerability was found in Gmail and allegedly fixed. Security researcher Petko Petkov provided details of the vulnerability on his blog, which was then confirmed and supposedly fixed by Google. However the three attacks above seem to mirror directly what Petkov's hijack did.

The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list. In the example above, the attacker writes a filter, which simply looks for emails with attachments and forward them to an email of their choice. This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

So is the hijack that David Airey, MakeUseOf.com, Cucirca.com and YouMP3.org were hit by a new exploit or did Google neglect to fix the cross-site scripting vulnerability?

The fact is there really is no way to tell at this point. GMail seems to be one of the only common denominators on the user end. We do know for the CSRF exploit to affect their accounts they all had to either visit the same site or view the same email, something along those lines to be affected.

One thing that peaked my interest is that the CSRF exploit has been around for over a year and this is the first I've heard of anyone hijacking GMail accounts in this fashion. Now that is not to say it hasn't happened, it just happens that the guy finally hijacked someone that has put the information into the spot light. The CSRF exploit could be used to hijack anything and would be virtually undetectable until someone went looking so it is possible there have been many attacks that have gone un-noticed.

For the hijacker to use Petkov's CSRF exploit to target webmasters he essentially has to create a "perfect storm". He'd have to get the exploit to them in some fashion, probably via an email sent to their GMail accounts, remember they have to be logged in to those accounts for it to work. Those accounts would have to be associated in some way with the webmasters domains. Either the registrar of the domain would have to have that particular email address on file for the password retrieval, or the email associated would have to be forwarded through the affected GMail account, so it could then be forwarded out to the hijacker.

From what I see you are talking about a lot of variables that would have to go right for this to happen.

For this particular scenario to play out and be lucrative a hijacker (or team of hijackers) would more than likely have to go on a phishing expedition and targeted multiple webmasters that showed GMail addresses on their WhoIs. They would then have to email out several emails with the CSRF exploit code. It would have to be a "good" email that these webmasters would have wanted to open allowing the exploit to work and the filters to be placed.

Aibek over at MakeUseOf makes a pretty good observation of how this could work:

In my opinion the hack was carried out in the following way:

- 1. hacker has an automattic script that searches public WhoIS databases and finds people that have gmail email listed as a contact.
- 2. the script further filters the results leaving only somewhat established sites.
- 3. next he sends an email to the owner (or even leaves a comment on his blog) with a link to a site that targets Gmail bug.

Aibek

As of right now there is no verification that the hijacking was the result of a vulnerability in GMail. However the evidence is leaning that way. If you are concerned that you might be vulnerable there are a couple things you can do to combat this.

1. Check your GMail settings and make sure you aren't already compromised. Check fowarding options and filters to make sure you aren't forwarding information to unknown sites. Disable any options you aren't using such as IMAP, and POP.
2. I suggest using a private email address for your accounts. There should be no reason for your domains to be registered to your contact address or even filtered through that address. Use a personal email address from your ISP and keep that information private.
3. Use FireFox with the No-Script add-on should help to block cross-site scripting exploits.
4. Stay away from emails and sites you aren't sure of, you should never be opening suspicious emails anyways.
5. Update all your software. Since there was no proof this was a CSRF exploit its still possible it was malware, a virus or even a trojan. You need to keep all the AV software up to date, especially if your personal computer is also used for business.
6. Change your passwords often. Again since there is no confirmation how the hijackers got in it is possible that the accounts were cracked. The accounts weren't locked out so thats not likely but still possible.
   

**Update**
Google has posted a response on the Google Online Security Blog stating there is no known vulnerability and this was a case of phishing. For more details please see our follow up post.

GMail Now Offers "Mail Goggles"

According to the GMail Blog Google Labs has come up with a feature called Mail Goggles which may help prevent you from sending those late night emails that you might later regret.

The new feature which is of course a play on the term "Beer Goggles" (I'm sure we all know what that means), was created by Jon Perlow. John's goals was to help you curb those crazy drunken emails that sometimes go out late at night and on weekends.

Mail Goggles
by Jon P

Google strives to make the world's information useful. Mail you send late night on the weekends may be useful but you may regret it the next morning. Solve some simple math problems and you're good to go. Otherwise, get a good night's sleep and try again in the morning. After enabling this feature, you can adjust the schedule in the "General" settings page.

By default, weekends and late nights is the only time Mail Goggles is active, that should be the time you're most likely to need it. Once enabled, you can adjust when it's active in the General settings, just in case you feel the need for better protection.



When enabled Gmail will ask to you to complete a few rather "simple" math problems in a limited period of time before you can send out your email. Get the answers wrong and you simply can't send the email. You'll be given the advice of "water and bed" and an option to try again with new questions. Thew difficulty can be changed from 1-5, 5 being the hardest. (I didn't see much difference)



No folks this is not a joke, the new feature is live and can be added to your GMail right now by going into your GMail settings. Look under Labs and about mid way down the page you'll see an option to enable it. Was you have it enabled you can go back to the general settings and adjust the time and days you want Mail Goggles to be active.

In my opinion this is pure genius! In fact I wish they had this option built into other sites, Myspace, Facebook ect. I know I for one have been guilty of posting a few messages that probably shouldn't have been after a night out on the town. While I really doubt it will prevent anyone from sending out their drunken messages the idea is still a good one. If nothing else it at least makes you think a little before you can actually send those drunken emails.