We tweeted the TechCruch story about the site which, if you visited while logged in to a Google account, sent you an email proving it had just harvested your email information. Scary, isn’t it?
Well, the screenshot of the website, itself (no, we didn’t visit it to see if it was true – besides, it was down by the time we got there . . . ) got us thinking about security and how this occurred. That’s when it clicked – this looks very suspiciously like the Firesheep exploit – erroneously blamed by some “experts” on insecure WiFi networks, while in fact it is based upon insecure transmission of cookies by your browser, which can happen on any network, wired or not. Firesheep can intercept cookies and log in as another user for a specific list of popular websites (including Facebook, Twitter, etc.).
It looks as if this new website is doing the same thing, but in a different way – instead of snooping on your network for open cookies, it is looking for the Google login cookie and “stealing” it, then proving it has stolen your login validation by sending you an email.
Regardless of the method used, if a website is able to steal your login cookie (or other information), this points up a vulnerability in not only your Gmail account, but in anything that uses that Google login. This would include your personal iGoogle page, your Gmail account, your analytics and Webmaster Tools accounts, and – perhaps most dangerous – access to all your Google Apps.
That’s right – if you or your company has decided to migrate to Google’s cloud-based applications, and if you use your Google login to gain access to them, then any website can steal your Google credentials and gain access to your private documents. How’s that for security?
However, all that familiarity doesn’t make them secure, as the Firesheep exploit – and perhaps this latest security hole – makes abundantly clear.
Until a much, much, more secure way of authentication becomes common, at the very least, log out of your Google account – and all other accounts – while browsing unfamiliar sites. Also, use a VPN or other secure method of transmitting your login information whenever possible.