This is the
homepage of the
Information Security Research Team (INSERT), a joint research group
effort of the University of Puerto Rico at Mayaguez (Puerto Rico/USA) and the State
University of
Ceara (Brazil).
News!
05/20/2008 - UPDATE 2 on Gmail's Security Problem
We have updated our draft paper to include the omitted parts.
Additionally, you can download our proof of concept program that demonstrates Gmail's problem in:
http://ece.uprm.edu/~andre/insert/gmail.tar.gz
05/12/2008 - UPDATE on the Gmail Flaw
Due to the unexpected media impact of our report on Gmail's recently found flaw, we felt inclined to give a little update on the issue.
As of 3:00 PM (GMT -0400) today, the flaw we have reported remains unpatched and exploitable. We have ran a new experiment where we were able to
use our attack to send 2,000 messages using one Gmail account.
We would like to clarify to the security community that we have contacted Google about the issue more than a week ago and no response was provided
despite our clear intent of cooperation regarding this matter.
We have plans to submit a paper about our work on the trust hierarchy of email providers to the SBSEG'2008 over this
weekend.
Since the paper will necessarily include full details about the flaw, we see no point on withholding the full disclosure of our self-censored report.
We are still waiting to hear from Google and we sincerely hope that this flaw can be fixed before the full details about the problem are released.
05/07/2008 - Exploiting Gmail as Open SMTP Relay
As part of our recent work on the trust hierarchy that exists among email providers
throughout the Internet, we have uncovered a serious security flaw in
Google's free email service, Gmail. This vulnerability exposes
Google's email servers in a way that allows an attacker to use them as
open spam and phishing relays. This issue is related to the risk of a
malicious user abusing Gmail's email forwarding functionality. This is
possible because Gmail's email forwarding functionality does not impose
proper security restrictions during its setup process and can be easily
subverted. By exploiting this problem an attacker can send unlimited
spam and phishing (i.e. forged) email messages that are delivered by
Google's very own SMTP servers. Since the messages are delivered by
Google's own servers, an attack based on this flaw is able to bypass
all spam filters that are based on the blacklist / whitelist concept.
We were able to confirm that this vulnerability is indeed exploitable
by crafting a proof of concept attack that allowed us to send forged
email messages unrestrictedly through Google's server infrastructure.
We have also verified that this flaw allows attackers to bypass spam
filters by using our method to send messages that are usually flagged
as spam. While sending these messages directly from our network in the
traditional way had the messages classified as spam, by sending the
very same messages using our exploit, the messages were delivered
directly to the victim's inbox, thus bypassing filters. All email
providers that offer Google's SMTP servers any special level of trust
(e.g. whitelist status) are vulnerable. We have contacted Google about
this issue and are waiting for their position before releasing further
details.
Read our draft paper on the issue.
03/27/2008 - SBSEG2008 - Paper Submissions Open The
Brazilian
Symposium on Information and Computer System Security (SBSeg)
is a scientific event promoted annually by the Brazilian Computer Society
(SBC). It has been held as a workshop between 2001 and 2004 together
with the Brazilian Symposium on Computer Networks and Distributed
Systems (SBRC). From 2005 on, concomitantly to the establishment of the
SBCs Special Interest Group on Information and Computer System
Security, SBSeg evolved into a full-fledged symposium. That allowed it
to satisfy the growing demands by the Brazilian academia/industry for
such a forum, as well as become the premier symposium in the country
for the presentation of research and activities related to information
and computer system security.
