Gmail Anonymity Issue
The webmail service provided by Google, Inc, named "GMail" or "Google Mail" is a fully-anonymous mail exchange system when it talks to other gmail-based domains.
UPDATE (after 1 day): Hey, I've received one comment saying that I should see this as an improvement on Privacy. Yes, of course! But I strongly believe in OPTIONS. This should be configurable, at least. Additionally, when you use webmail, the client is the web-browser, not the remote webmail software. It's YOU from YOUR internet connection using the remote service. It's not crazy to think your IP should be added to the headers ;)
In any case, has anyone bothered to read my last comment?: "We've been looking for fully anonymizing SMTP servers for decades, and now we discover any gmail.com mail user is vulnerable." This is like saying "Hey, I like this, but it can also be used by attackers to shield themselves when scamming people" (hence, "any gmail.com mail user is vulnerable"). I love privacy, don't get me wrong! I wouldn't be talking about http://vpnmail.buanzo.com.ar if I didn't.
Google has been notified of this issue, but the response was "Sorry, but we do not understand your issue". More information was provided, but the same response was received.
I do not consider this a High Risk issue.
UPDATE (after 1 day): Hey, I've received one comment saying that I should see this as an improvement on Privacy. Yes, of course! But I strongly believe in OPTIONS. This should be configurable, at least. Additionally, when you use webmail, the client is the web-browser, not the remote webmail software. It's YOU from YOUR internet connection using the remote service. It's not crazy to think your IP should be added to the headers ;)
In any case, has anyone bothered to read my last comment?: "
Google has been notified of this issue, but the response was "Sorry, but we do not understand your issue". More information was provided, but the same response was received.
I do not consider this a High Risk issue.
SYNOPSIS
Most webmail services provide means to obtain full-headers of any eMail message stored in the user's folders. Inside those headers we can usually find at least one public IP addresses, that relates some way or another to the mail's sender.
This is not the case with any gmail-to-gmail eMail message.
In the case of Gmail, full headers can be seen from the "Show Original" action link provided in the "More Options" menu of an already-opened eMail message.
This is not the case with any gmail-to-gmail eMail message.
In the case of Gmail, full headers can be seen from the "Show Original" action link provided in the "More Options" menu of an already-opened eMail message.
For example, if I send an email from buanzo AT gmail.com to buanzo AT gmail.com, I get something like this:
X-Gmail-Received: 9c6f2229aa1a91477bada005cd389e212c2f7454
Received: by 10.78.83.4 with HTTP; Wed, 26 Jul 2006 11:46:08 -0700 (PDT)
Message-ID: <6f7daea60607261146y43fd4e83gf7db10e0b0d32bf1@mail.gmail.com>
Date: Wed, 26 Jul 2006 15:46:08 -0300
From: "Arturo Busleiman"
To: buanzo@gmail.com
Subject: test
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_290096_27368964.1153939568233"
Delivered-To: buanzo@gmail.com
------=_Part_290096_27368964.1153939568233
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
test
--
Arturo 'Buanzo' Busleiman / www.buanzo.com.ar
------=_Part_290096_27368964.1153939568233
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
test
--
Arturo 'Buanzo' Busleiman / www.buanzo.com.ar
------=_Part_290096_27368964.1153939568233--
Date: Wed, 19 Jul 2006 13:41:00 -0700
From: "The Google Team"
To: "Arturo 'Buanzo' Busleiman"
Cc: support@google.com, security@gmail.com
Subject: Re: [#66078110] Anonymity Issue with GMAIL
Message-ID: <#14.3f0459e.39378bd3.44be98dc.1@google.trakken.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
In-Reply-To: <44bd0754.20905@buanzo.com.ar>
User-Agent: Neotonic Trakken/frontend-2.35.6
Hello,
Thank you for your message.
We're happy to answer any questions you may have about Gmail, or your
Gmail account. However, we need further clarification from you before we
can help. Please reply to this message and include any additional
information that you think might help us address your specific concerns.
Sincerely,
The Google Team
Original Message Follows:
------------------------
From: "Arturo 'Buanzo' Busleiman"
Subject: Anonymity Issue with GMAIL
Date: Tue, 18 Jul 2006 13:07:48 -0300
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear people at Google/Gmail,
I've been a long time user of your services (google, gmail, gmail for
your domain, orkut, adsense,
blogspot). I'm user "buanzo@gmail.com" or "buanzo" on your services.
Yesterday I was helping out on a security issue with a friend. I needed
to analyze IP addresses of
certain emails my friend received, and test against an identity theft.
The sender and receiver (the "attacker" and my "friend") are both
@gmail.com.
So, when I opened up one of those eMails using the Gmail web interface,
then I clicked on "more
options" for that sender, then "Show original", I noticed NO public IP
address at all. Only
10.0.0.0/8 private network addresses (internal gmail/google network).
In any case, it seemed that this behaviour ONLY happened when email from
sender@gmail.com via
web-interface to recipient@gmail.com was sent.
So, for testing, and before sending this advisory to you, I sent an email
using the web interface
for gmail account buanzo@gmail.com to my wife, some_user@gmail.com
Then I oppened some_user@gmail.com's account on my 2nd computer, and this
is the message source as
provided by "Show Original" button.
As you can see below, the 3rd Received line is the last one, and is "by
10.78.83.4 with HTTP". WITH
HTTP -> that is me using buanzo@gmail.com's web interface. See below for
more details.
X-Gmail-Received: 95f51f3b274bfdc2c834d221f18347acf46e081d
Delivered-To: some_user@gmail.com
Received: by 10.70.39.10 with SMTP id m10cs137572wxm;
Tue, 18 Jul 2006 08:58:49 -0700 (PDT)
Received: by 10.78.160.2 with SMTP id i2mr1631532hue;
Tue, 18 Jul 2006 08:58:46 -0700 (PDT)
Received: by 10.78.83.4 with HTTP; Tue, 18 Jul 2006 08:58:46 -0700 (PDT)
Message-ID: <6f7daea60607180858v5e6c5655w6c17069a2474b5ac@mail.gmail.com>
Date: Tue, 18 Jul 2006 12:58:46 -0300
From: "Arturo Busleiman"
To: "Amor de mi Vida"
Subject: te amo
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_45900_33494322.1153238326171"
- ------=_Part_45900_33494322.1153238326171
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
te amo
- --
Arturo 'Buanzo' Busleiman / www.buanzo.com.ar
- ------=_Part_45900_33494322.1153238326171
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
te amo
--
Arturo 'Buanzo' Busleiman / www.buanzo.com.ar
- ------=_Part_45900_33494322.1153238326171--
I believe this is a serious issue that turns any @gmail.com user into a
victim of lots of different
email-based attacks that one can't analyze because of the "anonynimity" of
the attacker's public,
internet IP.
Please return to me with comments on this issue.
Thank you very much for your attention.
Sincerely,
- --
Arturo "Buanzo" Busleiman - VPN Mail Project -
http://vpnmail.buanzo.com.ar
Consultor en Seguridad Informatica - http://www.buanzo.com.ar
Genetic - A multiplatform Gentoo Portage Frontend -
http://genetic.sourceforge.net
for f in www blog linux-consulting vpnmail; do firefox
http://$f.buanzo.com.ar ; done
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEvQdUAlpOsGhXcE0RAqfLAJ4zuBaAmeqSaIn+M+tspWeQ77KHmACbBMD+
09pjXERkq/ugURkef+AvLAw=
=YUqc
-----END PGP SIGNATURE-----
Labels: English
 Liked it? Submit this post to Slashdot!
|
| posted by Arturo 'Buanzo' Busleiman @ 12:31 PM |
