Accidental hack reveals Gmail flaw
User names and passwords open to all
Iain Thomson, vnunet.com 13 Jan 2005
A Unix community group has reported a flaw in Google's free Gmail email service which it warns could compromise user information.
Two members of HBX Networks, going by the monikers 'Hairball' and 'MrYowler', were testing a Perl script that would send out a newsletter. When they tried to reply to the test email the page displayed HTML code which included the names and passwords of other users.
"We do realise that Gmail is an invitation-only service in a beta-test state of development," said 'Hairball' on the group's website.
"Nevertheless, many people rely on Gmail heavily, and many more people are forced to communicate with Gmail users because of this reliance.
"These people should expect their communications to be vulnerable to interception, at least until Gmail corrects the issue."
The problem appears to come from poorly defined code boundaries on Google's mail server.
The community group members do not propose a workaround beyond informing Google of the problem, but do include a request for a job with the company at the end of their report.