viernes, 17 de marzo de 2017

Some Gmail endpoints are storing e-mails in the browser cache. Google doesn't consider this a security issue

It is well known that if you serve private information, like e-mails, you have to specify the no-store value inside the cache-control header so the browser doesn't persists this information in the cache, that would be insecure since after the user closes the session the data will still be there.

According to the W3C: The purpose of the no-store directive is to prevent the inadvertent release or retention of sensitive information. ( https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2 ) Google is sending this value on most of the responses that contains sensible data as you can see from the screenshot below:


 

The problem is that some old Gmail endpoints are not including this value, like for instance:

The mentioned endpoint is the one used by the official Gmail ChromeExtension:

So every time this endpoint is acceded by your browser it stores the result in the cache, storing all your unread e-mail in a shared space including several private information:




I reported this about three weeks ago, sending a detailed description and the next video:



Nobody visualised the video before I got a the next answer from Google:




So, since in order to explode this security flaw it is required access to the computer Google doesn't care about your security, you must use your own computer :(


In the real world the people share computers and they also use public ones. After a user closes the session, the expected result is that all the user data should be safe when the used computer is not compromised at all, I wasn't talking about install any sort of malware, keyloger or whatever, just the official Gmail extension.

This is a super easy bug to fix, but the no-store is still no present. All the other e-mail companies are sending the no-store value, for instance WorkMail, FastMail and so.

The other day while I was waiting at the airport to take a flight I went to print my tickets using a shared computer, I had to connect to Gmail in order to download the tickets. I decided to install the official Gmail ChromeExtension (perhaps Google is distributing malware).
When I came back I made a video where I was able to access the private e-mail of more than twenty accounts.

I will not publish this video since I prefer to don't get in trouble, but I really think that this is an important security issue, easy to fix that should be addressed as soon as possible.

No hay comentarios:

Publicar un comentario