digg

Join DiggAbout

Discover the best of the web!
Learn more about Digg by taking the tour.

See the original image at davidairey.co.uk

Google’s GMail security failure screws a Blogger/Designer!

davidairey.co.uk — Shocking revelation by a well known designer..a must read...if you are using gmail...you may not be secure!!!!

Bury
show profanity settings
expand all
  • dgreichert, on 12/25/2007, -10/+353Dugg to support David in getting his domain back.
    • Propapanda, on 12/25/2007, -83/+12Well at least we can rest assured that no one with a real job was hurt by this.
      • Skod, on 12/25/2007, -5/+31Care to explain what a real job is?
      • dgreichert, on 12/25/2007, -1/+22Welcome from your cryogenic sleep capsule- its almost 2008!! While you were frozen, many new things came about in the past 10 years including a profession known as blogging. You can read 100s of 1000s of interesting articles from them from a site known as digg.com.
        • j4200, on 12/26/2007, -0/+1AKA: Journalism. Chronicalling current events and interests, these freelance writers world round are using the internet to publish, much like the printing press enabled people to spread their articles cheap and effectively at the beginning of the industrial age. Only this time it's the beginning of the information age and the overhead of publishing your article is extremely diminished.
    • rasterbator, on 12/25/2007, -33/+2Anyone who read the story, and then logged into their gMail account to check their settings is a fool. The filter was most likely just installed on your account! Suckas!
      • dick-richardson, on 12/25/2007, -1/+10***** tard. You have to be logged in FIRST, then visit a malicious site.

        Moral of the story...don't stay logged into your gmail account.
        • GreyICE, on 12/25/2007, -1/+17Actually, moral of the story - don't listen to panic. Google fixed this. According to the site linked to in the article:

          Update 28 September 2007 at 07:46 GMT (UTC+0)

          I promised to release the POC as soon as Google fix the vulnerability, well they did. So, here is how it works:

          Grats, its a 4 month old security flaw. That was fixed in september.

          • glinsvad, on 12/25/2007, -3/+11Alternate moral: use pop3 to read gmail
          • cyberpear, on 12/25/2007, -2/+10or IMAP, now that they support it
          • itsthebrod, on 12/26/2007, -5/+5@glinsvad
            Using POP3 kinda defeats the purpose of using an online email service.
    • da5id, on 12/26/2007, -31/+11Poor David. Lost his domain. Palestinians lost their domain, but that doesn't get thousands of diggs. Shallow Amerikans.
      • estacado, on 12/26/2007, -1/+4What do you mean David lost his domain. David was KING of his domain.
    • abstractual, on 12/26/2007, -4/+17A word of caution to everyone.
      Anytime you visit India or any other country, PLEASE use the "On-Screen Keyboard", and that too, on "hover mode".
      Never EVER trust those machines. Those cybercafes are filled with key-loggers most of the times, and I speak with experience.
      • Audacitor, on 12/26/2007, -1/+33If there's an onscreen keyboard, then there's prolly screen recorders. A word of caution to everyone. Don't use cybercafes, period.
      • cawpin, on 12/26/2007, -6/+1Yes, because that has ANYTHING to do with this story.
  • abhim12, on 12/25/2007, -16/+113lets all digg this and support david ...and let us all make that damn hacker surrender!!!!!
    • fkr3, on 12/25/2007, -0/+82... how are we making him surrender?
      • chedabob, on 12/25/2007, -10/+3We could DDOS his spam page with Gigaloader?
        • fkr3, on 12/25/2007, -0/+14That congests his server / the network he's on it doesn't change ownership of the domain.
      • abhim12, on 12/25/2007, -4/+13the hacker is asking for money ..i want him to give back the domain for free
        • fkr3, on 12/25/2007, -2/+22Maybe if you close your eyes really tight and pray.....
      • Gudlyf, on 12/25/2007, -0/+27Making him move to France?
        • glinsvad, on 12/25/2007, -13/+4I like it. Only problem is, nobody would ever move to France voluntarily...
          • BossKey, on 12/25/2007, -1/+6...except for all those immigrants...
    • alexidigg, on 12/25/2007, -3/+18come on, in all of digg dont you think there are some 1337 enough hackers to have the skills to get some proper revenge? im hoping so. good, old-fashioned revenge.
      • 10GunSalute, on 12/25/2007, -5/+23Anybody who is "1337 enough" to "get revenge" would also probably be *mature enough* to NOT get revenge
        • bobcatred, on 12/26/2007, -0/+9Not that I want to encourage any questionable activity, but in this case they wouldn't necessarily need to get revenge, only to swipe the domain out from under the little extortionist and return it to it's rightful owner. That would not only set things to right, but the crook wouldn't be getting any money or any more potential identity-stealing information from David Airey. Ideally and if possible, Airey would connect the domain to a new, uncompromised email account and change all necessary passwords before the thief realized he had lost control of the domain.
      • grumpyrain, on 12/26/2007, -2/+3Yes. We can justify this action because we *know* that this is definitely a result of a rogue website that "performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list". It couldn't possibly be that he logged into his email from some compromised net cafe nor could his visit to a "questionable website" have possibly installed some drive by malware on his own computer.

        Well at least now he has front page, he should raise enough advertising revenue to pay to launch court action.
    • OttawaMarcin, on 12/25/2007, -11/+20Everyone -- start sending emails to GOOGLE SUPPORT and to GODADDY. It's their fault. They should be paying big time to fix this.
      • Dolomite, on 12/25/2007, -9/+7they need to be sued. what they did is terrible, and a nice financial settlement is in order for this blogger.
      • ZPWeeks, on 12/26/2007, -1/+23No. Godaddy is following the same rules that all registrars follow. Conclusive evidence is needed to change this- this trick let the attacker access all security credentials required to transfer the domain- the administrative contact address (which, if he were smart, would have been a separate account from his normal one), password to the original host, and a transfer code.
        These rules are not "terrible", they keep sites like mine from getting transferred to others. This is one exception where the client and the client's mail program compromised his own resources.
        Gmail isn't responsible either- you sign a user agreement which idemnifies google from being held responsible for this exact kind of thing. If you need rock-solid, reliable, secure e-mail, don't use a free account, a "beta" app, or anything like that. You're best off paying for or running your own server.
        • OttawaMarcin, on 12/27/2007, -0/+1It is in Google's best interest. Unless they want to start losing a bunch of users.
    • runxctry, on 12/25/2007, -1/+38here's an idea: some credit card companies offer 1-time-use credit card numbers with a spending limit that you choose. So, get a one-time-use number with a spending limit of say, $1. Email this number to yourself (allowing the hacker to get the number) with the subject "My new credit card number." See if the hacker takes the bait, and when he does, you can start an identity theft/fraud case at your local police department. At this point you can get your case in the courts, then you can get GoDaddy to lock down the domain name.

      This is the equivalent of the cops getting you on a technicality. Whether this applies to internet law, someone else needs to help out on this idea.
      • HenChao, on 12/25/2007, -0/+11Interesting idea. However, by this point the hacker probably realizes that David knows his email has been compromised and wouldn't use the same address for something as important as a new credit card number, so he wouldn't take the bait.
        • pendrachken, on 12/26/2007, -1/+9You have entirely WAY too much faith in criminal intelligence. soooo many crimes are caught just because the commiter overlooked / didn't even think about / was just plain greedy past thinking.
  • echolyean, on 12/25/2007, -3/+114Those taunting e-mails from the evil hacker (after all, "hacking" in and of itself is not a bad thing) should be more than enough proof for him to win his case, as long as they can track the person down.
  • djay, on 12/25/2007, -4/+101Digging for help !!!
    A note for myself: when leaving to vacation, notify domain/host holder NOT TO change anything unless BY SPEAKING TO ME on the phone, by them calling me :-)
    +1 to all previous posts
    • echolyean, on 12/25/2007, -1/+27That's a decent idea. Low tech security.
      • Barryke, on 12/25/2007, -1/+2Sometimes. It does make it more difficult for the bad-guy to stay anonymous and unconspicuous.
        A good attemt to steel a domain by applying some social engineering wil break that though.
        • rootneg2, on 12/26/2007, -0/+1*any* security measure is vulnerable to social engineering.

          It's really the only hack for which there is no true defense.
    • r250r, on 12/25/2007, -3/+2I was just thinking that we need something similar to the lock you can put on your credit report. Tell your host to only allow changes if you provide a previously-agreed-upon passphrase. Or only via phone (though voip could be hacked, so cellular or landline only).
      • bobcatred, on 12/26/2007, -0/+2the problem with the passphrase is that if the passphrase was in any email on the compromised account, they would have that passphrase and still be able to transfer the domain
        • pendrachken, on 12/26/2007, -0/+1so you must put in the passphrase the first time you log into your servers control panel before you can set ANY other variables?
    • zwaldowski, on 12/25/2007, -1/+2Most hosts/registrars allow you to put a "registrar lock" on, and do all sorts of other management things.
    • elint6, on 12/26/2007, -0/+2When I travel, I call Visa and let them know so charges in Geneva don't raise eyebrows in New York. Problem is, now someone knows there's no one at your house for a week.
  • rabidmonkey1, on 12/25/2007, -11/+20I'm not a super techie but Is there anything we can do to get these guys to give it up? This may sound stupid but can we unleash the digg effect on their server until they give it back? Any better ideas?
    • chedabob, on 12/25/2007, -0/+17Nope, because they might get some advertising revenue by doing so. Gigaloader would be better: Attack the images so the ads aren't displayed.
      • purelithium, on 12/25/2007, -0/+9Unfortunately, there are no images on the stolen domain... only text
        • Audacitor, on 12/26/2007, -0/+1There's no ads on the stolen domain either.
    • purelithium, on 12/25/2007, -5/+24Let's all ping flood his server, have it running in the background on your machine while you surf, hopefully we can slam his server down to the ground, if we have enough people flooding him

      In Linux/Unix/Mac OS X you just type "ping -f davidairey.com" into your terminal. Make sure you're running as root, or as a sudo.

      Let's hammer this MOFO!
      • cnldelta, on 12/25/2007, -1/+6"ping -t davidairey.com" in windows command prompt
      • computergod, on 12/25/2007, -4/+28Yeah, firewalls have no way of detecting and stopping ping attacks. Ping floods are so new and advanced.
        • purelithium, on 12/25/2007, -11/+6Well, "computergod" at least I came up with something, and didn't just talk ***** about someone elses idea, douchenozzle.
        • Drizzit, on 12/26/2007, -1/+2Yeah but the bandwidth charges would bankrupt the guy.
      • breakpointhalo, on 12/25/2007, -2/+2That's not even the hackers page. It's just the "parked domain" page. :-/
        • purelithium, on 12/25/2007, -0/+2So, it's still on some server, that the domain holder is most likely paying for. Let's make him pay for that bandwidth...
      • splatbang, on 12/25/2007, -0/+4He he they're blocking my ip after doing DOS at 1mb/s for 5 minutes
      • sarge96, on 12/25/2007, -0/+2I wrote a http ddos program for anyone who wants to help out. If you want ot help, send me a shout, and I'll email it to you.
        My IP is blocked now anyway...
      • zwaldowski, on 12/25/2007, -0/+8Weird. The site now pings as 127.0.0.1, and FF gives a connection error.
    • NoStoppingUs, on 12/25/2007, -11/+1i use AOL. I'll come to the rescue!!!11!!

      oh wait. where did my buddy list g....I HAVE MAIIAIIAIAILLL!!!!11!!!
  • ivankraszl, on 12/25/2007, -3/+63Dugg for a story well told!
    • smackhero, on 12/25/2007, -2/+9i dunno, i wish he'd just linked to the GnuCitizen.org page about the Gmail exploit from the beginning ( http://www.gnucitizen.org/blog/google-gmail-e-mail ... ). that page really contains all the relevant information about the exploit that one needs to know.

      and for anyone still wondering, Google has already fixed this security hole as indicated by the GnuCitizen page.
      • duniyadnd, on 12/26/2007, -0/+2The hack was released months back, and this blog entry isn't about that. This is the story of a blogger who lost his domain via a highjacking and all the things he had/has to go through. Dugg you up anyway.
  • acrodev, on 12/25/2007, -15/+37This is the best thing that could've happened to David. There's no such thing as bad publicity.
    • synwolf, on 12/25/2007, -0/+11I'm pretty sure this is good publicity.
      • acrodev, on 12/25/2007, -1/+2Well, he wasn't smart enough to use noscript!
    • joshmiao, on 12/25/2007, -0/+8I can think of several situations that constitute bad publicity.
      • petershultz, on 12/25/2007, -0/+6Including being killed by an orangutan while on the toilet.
    • booradley7, on 12/26/2007, -2/+2Um, yeah, I'm betting David would gladly trade back all this "good publicity" for his old domain... and to have never had to go through all this crap.
      • j4200, on 12/26/2007, -0/+1Absolutely. This publicity came at a cost of his domain's pagerank that had been created organically over time. Time, stress, money are all more costs. This is kind of publicity that came at a cost unexpectedly. If David wanted this kind of publicity he could have bought it. Though it may be a good thing in the long run, it's hardly the best thing.
        Note: I added his blog to my feed reader because It looks good. This is defiantly good exposure.
  • Kronos6948, on 12/25/2007, -13/+254Remember folks, people who do this aren't hackers. They're crackers. Script kiddies. Try not to sully the names of the people who really know how to hack and make our tech lives better.
    • maxhrk, on 12/25/2007, -11/+23if majority decide it is 'hacker' then it is hacker, Kronos. blame Media.
      • j4200, on 12/26/2007, -0/+1Actually no, but if you feel a good man is defined democratically, then thats you're right. Everyone followed behind Hitler did they not? (disclaimer: I'm not saying Hitler is a good man. Please don't sully my name media.)
    • computergod, on 12/25/2007, -2/+24I think they call themselves "web entrepreneurs" now.
    • perseon, on 12/26/2007, -3/+6That my friend, is a losing battle. Sometimes, even I find myself saying 'hackers' instead of 'crackers'. That connotation of the word 'hacker' is already too deeply ingrained in the popular lexicon. I gave up that fight a long time ago.
    • wilf_brim, on 12/26/2007, -3/+3Frankly, motives matter for little. If you break into my computer or my server, I don't care what you do after. If I find somebody in my house at night, I'm not going to assume that he is there "just because I want to see what your house looks like, and I want to learn about locks". I'm shooting. Likewise, if you mess with security on servers and systems you have no right to be in you are little different from the creep that did this.
      • Kronos6948, on 12/26/2007, -0/+7Hackers aren't the ones breaking into your computer. Hackers are the ones who break into the meat and potatoes of programs to learn how they work. If it wasn't for them, we wouldn't have a lot of the freeware we have nowadays. People who break into other people's computers are the ones who are the crackers and script kiddies. Time for you to stop watching movies to tell you what hackers do.
    • reepax, on 12/26/2007, -1/+2so anyone who compromises machines or steals info/accounts is a script kiddie?
  • mannymix03, on 12/25/2007, -12/+50too bad digg isnt like a certain other website, where someone would have the real name and address of the script kiddie on the net in 10 minutes and we would all order him 40 meat lovers pizza (seems all too fitting) and get them delivered to his house. I hope this script kiddie gets whats coming to him, payback IS a bitch
    • AppleGeorge, on 12/25/2007, -21/+9I can tell you're 13 and you're most awesome prank is sending pizza to their house. Good one, jackass. You sure owned them.
      • shawnz, on 12/25/2007, -1/+8i can tell you're 13 because you haven't learned the proper use of "your" yet.

        class, next unit: homophones
        • zwaldowski, on 12/25/2007, -8/+113? ***** off, I'm reading Romeo and Juliet right now. Homophones was more fourth grade.
        • drummer1189, on 12/29/2007, -0/+1Oh, so freshman in high school. I'm not sure whether or not that's any better at all.
          I mean he used the f word so hes clearly older than 13, geez.
    • foxingworth, on 12/25/2007, -0/+28Seems like the only ones who get punished there are the pizza companies. The person just denies ordering the pizza (hell, even just put a note on the door) and the pizza companies have to take the loss (they can't resell the pizza).
      That sure shows the script kiddie.
      • jftitan, on 12/25/2007, -1/+15unless you use the script kiddies credit card.... that is, if the script kiddie is actually old enough to have one.
        • mikesbaker, on 12/25/2007, -0/+4it would still only screw the pizza place after the pizzas were refused - way to not understand how the world works
        • .Steven, on 12/26/2007, -0/+1Yeah, it is called chargeback. And in many countries it is LAW.
        • elint6, on 12/26/2007, -0/+1at least he would get blacklisted from that pizza place.
      • aoru, on 12/25/2007, -0/+3Don't forget the pizza deliver person making 7/hr + tips that is running the hell out of their car in the winter to deliver those pizzas just to get stiffed and miss out on other orders.
    • nost4lgic, on 12/25/2007, -1/+7You mean ebaums? They're hackers on steroids.
    • mikesbaker, on 12/25/2007, -1/+49i manage a pizza place for a living. don't do that. all the person does is say "I didn't order that" and its over for him. Mean while the store loses $300 in pizza. Doing that is as bad if not worse than costing someone their domain. Grow up.
    • drummer1189, on 12/26/2007, -1/+1god if i knew what site you were talking about id totally be there rather than here
      i miss all the leet people, it seems like they all left
  • gametavern, on 12/25/2007, -13/+107well... its a beta
    • computergod, on 12/25/2007, -9/+6It's a joke people, you can stop digging down now.
      • Barryke, on 12/25/2007, -1/+12No, he's got a very very valid point.
        It is a beta. We all know that.
    • skyshock1, on 12/25/2007, -2/+13It's also already been fixed. :)
  • nufa, on 12/25/2007, -68/+5Who the heck is "David"?
    Actually, who the heck cares?
    • computergod, on 12/25/2007, -2/+7You care about 50 million people? Guess you should digg stories about them too.

      Actually I care about them too since their zombie PCs keep ***** with my sites and sending me spam. If that little light on your router is blinking like crazy when your not using the computer, it means someone else is. Is that such a hard thing to understand?
    • Jahweh, on 12/25/2007, -2/+3Why are you even on this website then?
  • dgh1973, on 12/25/2007, -2/+25Dugg, never quite understood how clicking the digg button accomplished anything in real life but whatever...

    Hope all goes well David, and stay away from questionable web sites that do stupid ***** like this from now on.
  • WarriorDan, on 12/25/2007, -4/+154Come on... some real hackers must visit Digg.com - hack this guys domain and give it back to him as a Xmas present :D
    • Mirag3, on 12/27/2007, -0/+1Unfortunately, the kinds of web attacks that are most effective in these cases are very hard to target to a single IP address. I'll take a closer look at what you could do however. Though, I'd never, ever actually hack somebody ;)

      You know, simply spamming him might work.
  • Philluminati, on 12/25/2007, -43/+3Anyone who says this is an acceptable email service provided by google is an idiot. So are Google gonna fix this?
    • BoomShake007, on 12/25/2007, -1/+21It says it was fixed, but it doesn't automatically remove any filters created by it. RTFA
    • tastypastry, on 12/25/2007, -2/+5Read the article?
    • jamwil87, on 12/25/2007, -1/+6They already did... According to the article.
    • computergod, on 12/25/2007, -2/+7>It says it was fixed, but it doesn't automatically remove any filters created by it. RTFA

      The filters made by it could be anything, hence it is not possible for google to remove them, users have to on their own.
    • omgwthlol, on 12/25/2007, -3/+1oh dear...
      • estacado, on 12/26/2007, -0/+1No deer. Ass too high, run too fast.
  • thailand1972, on 12/25/2007, -15/+89Flippin' hell - if this was Hotmail, every post would be about how "M$ can't do anything right!". It's GMail, and it's nothing but sympathy for the victim. Can't GMail do any wrong? This was* a vulnerability, no? GMail is very popular. How many are using the same filters now (unpatched)?

    *vulnerability patched according to David's website.
    • amadeusdemarzi, on 12/25/2007, -5/+16This is true, but Gmail was also in Beta, so are taking something of a risk in using their service when it is still incomplete.
      • SysstemLord, on 12/29/2007, -0/+1Hey kids, what the *****? Hotmail, Gmail, Beta and No Beta - nothing is perfect my dear, every software in the world has vulnerabilities waiting only to be discovered.
    • shawnz, on 12/25/2007, -3/+7but... hotmail isn't beta!
      • redwallhp, on 12/26/2007, -2/+3Hotmail still sucks.
      • j4200, on 12/26/2007, -0/+1Window's live mail might as well be though. It's buggy as *****!
    • sarge96, on 12/25/2007, -9/+7Not to mention this is a user stupidity problem, not solely Google's fault.
      • j4200, on 12/26/2007, -0/+2You really didn't read the article did you? The vulnerability was simply visiting a page with malicious code while you were logged in on gmail. I'm always logged into Gmail myself. My homepage is the iGoogle (god i HATE that name), so I can't exactly log out every time I plan on surfing outside of Google's domain.
        • LingNoi, on 02/04/2008, -0/+1no you use "No script" and only allow javascript on websites you trust
    • LingNoi, on 12/26/2007, -5/+11It's not Google's fault that this guy was surfing random porn sites and got his gmail broken into. You're letting other people's javascript code run on your computer. This is what happens when you let everyone use your computer without some kind of filter like noscript.
      • epiffffany, on 12/26/2007, -0/+3That is similar to blaming porn sites for installing malware for an unpatched IE6 user. Yes, the user is the catalyst but the problem is really just bad software.

        In this case: yes, it was Google's fault for writing bad code that allowed this to happen.
        • j4200, on 12/26/2007, -1/+1The fault partly lies with Google. Please remember that the most of the fault is absolutely placed on the attackers name. I would say Google is about 15% responsible if that even.
          • Philluminati, on 12/26/2007, -0/+1I'd say more like 80% responcible. This doesn't happen to other mail sites.
    • BlaenkDenum, on 12/26/2007, -3/+7@LingNoi: Not Javascript.

      "the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list"
      • qwuinc, on 12/26/2007, -1/+4If my memory serves me, there isn't any way to perform POST without either the user clicking on a submit button or a javascript doing it.
      • j4200, on 12/26/2007, -2/+1It would have definitely been done with Javascript. Blaenk is just pretending he knows what he's talking about.
    • thailand1972, on 12/26/2007, -1/+4Well how many years has it been in beta? And I know this for a fact: many businesses rely on GMail because of its reputation (despite the fact it's in beta). And a lot of Diggers sing the praises of GMail, despite the fact it's in beta. Most people use GMail not thinking about its beta status (and how many people really know what this implies?).
    • Mirag3, on 12/27/2007, -0/+1It's not Gmail, its a variation of an XSS attack w/ a move around the same domain policy. It's a clever attack that I demonstrated at a security company a couple months ago, although I doubt it's exactly the same attack. Unfortunately, it has less to do with the site being hacked and more to do with the browser and the user.

      P.S. This is a Javascript XSS attack.
  • BurakkuChi, on 12/25/2007, -5/+29It looks like the IP address that's linked to these "hacks" has port 80 open and is running XAMPP for Windows with the default install... Maybe he's got some personal info that may help David out...
    • computergod, on 12/25/2007, -1/+40Maybe that IP address is a zombie computer.
    • demodawid, on 12/27/2007, -0/+1Or maybe he was using a proxy or otherwise hiding his real IP.
  • mfalk, on 12/25/2007, -1/+27subpoena the isp in Florida for the address then pay him a visit! worth every penny
    • shawnz, on 12/25/2007, -0/+4until you find out that it isn't actually his IP
    • BossKey, on 12/25/2007, -0/+3What happens when you get to the door of the IP address holder and you find yourself standing in front of the Public Library or Joe's Free Wi-Fi Espresso Joint?
      People talk like an IP address is infallible, but...
      There was a post in the article thread about turning the IP address over to 4chan's hordes, but they might find themselves blasting away at someone innocent.

      Of course, if that cracker used their home account, they deserve what's comin' to them.
    • redwallhp, on 12/26/2007, -0/+1Put on a suit and dark sunglasses first.
    • elint6, on 12/26/2007, -0/+1I'm pretty sure his email provider tracks the IP the hacker used to send those emails. Find that place, even if its a public library--they maintain log-in sheets.
      • BossKey, on 12/26/2007, -0/+1I don't know about your area, but in mine you can walk in with your laptop and use the library wireless network without having to identify yourself. Some people do it from the front steps outside. Good luck tracking MAC addresses, since they can easily be spoofed.
      • computergod, on 12/26/2007, -0/+1Yeah, not like they would be routing it through someone else's hacked computer.
  • mundus, on 05/15/2008, -4/+20Man, I don't know you. But I feel your pain.

    All I can say is I hope you get your domain back, and as much as I hate to suggest this, you should take legal action against Google as well for putting your privacy and livelihood in jeopardy! This could even open a class-action case.

    That way you could possible make up a little bit for the lost you've had. And I think it's totally fair.

    Thanks for bringing this to our attention!
    • nazadus, on 12/26/2007, -0/+3Problem is that Google Mail is still in beta. Even if it wasn't, I'm sure they would happily give you all the money you paid for the service which for most people is $0.
    • swqt, on 12/26/2007, -2/+0It wasn't google's fault anyway; it is the result of "misuse" on the user's part.
    • pw201, on 12/27/2007, -0/+0Nope: you accepted Google's Terms of Service when you signed up, in which they disclaim all warranties and liability to the extent they can do so by law. Also, you paid nothing for the service, so you don't have a contract with them.
  • abhim12, on 12/25/2007, -23/+1Hi All...I thank all my fellow diggers for digging this...I am sure this will help a lot to spread the word and help david so that he gets his domain back for free...also I want to make people aware about this...I have started a campaign through email to unite internet users and help david....if anyone wants to get that email and forward it further,email me to abhim12 at gmail dot com and I'll send you so that you can forward it to people you know....lets spread the word
    • Lyph5, on 12/25/2007, -0/+11So, to support this guy you're spamming people?

      That's a great way to get people on your side.
      • abhim12, on 12/25/2007, -4/+0No ...I didn't mean that...not all the internet users in this world are digg users....hence i wanted to make spread this word as far as possible...this is not any marketing campaugn happening...this is a story of an established designer/blogger whose business got screwed due to an hacker...I apologise if people have got me wrong
  • iainc, on 12/25/2007, -1/+29I'm shocked that the huge amount of public support David is getting has not spurred the relevant service providers into action. It's bloody obvious he is being scammed and they won't bend the "rules" to nail the perpetrator.

    Personally, I hope the guy is found and that someone manages to righteously break every digit on his thieving little hands.
  • strax, on 12/25/2007, -7/+68The hacker is now selling the domain on sedo.com
    http://www.sedo.com/search/details.php4?domain=dav ...
    That means that Sedo has the hacker's name, address, email, and payment information.
    • omgwthlol, on 12/25/2007, -1/+23digg ***** up the link here for those too lazy to type it in
      http://www.sedo.com/broker/index.php4?domain=david ...
    • .Steven, on 12/25/2007, -2/+6Or the fake details.
    • TDave00, on 12/26/2007, -0/+1It seems Sedo has been informed of the situation. Below is what is returned for the above url.
      "We're sorry, but we cannot process your request due to the possible infringement of third party trademark rights. "
      There have to be better options than paying $1500 to take this to court.
  • parkamark, on 12/25/2007, -4/+18I have to say that this is one f*cked up hack. It seems that people need to start using the same principles on virtual property as well as physical. For example, when you go on holiday for a month, don't advertise to the world when you are leaving otherwise you risk your house being burgled. Similar situation here, in the virtual sense. Thankfully I don't blog, so don't have to worry about this.

    On the Google front, I wonder if Google could be liable for any damages from their insecure code which allowed this to happen? Probably not, as it's a free email service. Shame really, as if anyone can cover the cost of damages to David's site, they could.
    • HigherLogic, on 12/25/2007, -0/+3Google's lawyers pretty much make sure they're never responsible for anything in the TOS you agreed upon when signing up for Gmail (and any other service).
    • nazadus, on 12/26/2007, -0/+3I'm curious -- how would letting someone know about that change *anything*?
      Since the email was being forwarded without his notice then it doesn't matter if he was home or anywhere else for that matter.
      Treating it as stolen property is cool for me though.
      • parkamark, on 12/26/2007, -0/+1I can see what you’re saying, but they timed this "hack" exactly when he went on holiday, knowing fine well his access to the Internet would be limited and occasional, thus giving them more time to do the dirty work (moving the domain etc) before he had time to notice, and also making it even more difficult for him to rectify the problem once he had noticed the change.

        Also take into account that he would have been, potentially, more difficult to contact abroad (if his ISP had a policy of phoning to authorize his domain transfer, which they didn’t, but the hacker wasn’t to know this) assuming he had a mobile tied to use in the UK only, and obviously, no one would have been home to answer his land line.

        In short, this is one of the most perfect hacks I've seen in a while, not because of the fact they hacked his GMail account, but simply because they did their research about him, and timed their hack when it would take the most time for him to notice – by which point, it would already be too late.
      • j4200, on 12/26/2007, -0/+1Just like burglars stake out your house leading up to the holidays, having the crowbar in hand the hole time. They won't break in until you are gone. This guy had the filter to David's email prior to him leaving. The DAY he left however, the domain transfer process began. He waited until David left the house on vacation.
        Moral: Don't tell people when you are leaving all your equipment, accounts, and properties for a month. Advertising that information is just kind of stupid. I'm surprised this guy didn't come home to a house with but a toothbrush and camera left. (Though with digital camera's being so prominent these days, he may of seen what happened to the toothbrush before using it.)
  • cheesejaguar, on 12/25/2007, -4/+41Did David do this?
    http://www.google.com/support/accounts/bin/answer. ...
    It is stated in the ToS that if you believe your GMail has been hacked, you must fill out this form.
    • redwallhp, on 12/26/2007, -0/+6Does anyone really read the ToS? We all know we should, but...
  • Motodog, on 12/25/2007, -2/+15Why am I finding out about this Gmail hack after it's fixed? Yikes. Good luck to him...
    • abhim12, on 12/25/2007, -3/+3Hi ...I know it might be fixed but my motive is to spread this because tomorrow some other similar kind of thing may happen to someone else...hence its important to understand that nothing is indispensable...not even gmail...so lets be cautious...and also by spreading the word might be that the hacker is forcd to surrender the domain to him
      • j4200, on 12/26/2007, -0/+2Why are you digging abhim down? He's got a crazy good point. Not even your Apple is impervious. Best security is using precaution in regards to your information.
    • Damhna, on 12/26/2007, -0/+3Responsible Disclosure.
  • computergod, on 12/25/2007, -11/+4Thanks for the "warning" about a CSS vulnerability that has already been patched.

    In other news: Sometimes people get their security compromised before patches get out. Interesting he does not mention the site, I wonder what kind it could have been...
    • Lazuli, on 12/25/2007, -0/+1Perhaps he doesn't know.
      I use StumbleUpon, and potential security issues are a constant thought in my mind while using it.
      I try to mitigate any potential issues as best I can with the resources I have available, but the possible security issues are quite large.

      For all we know, it could be a hack that can be employed on MySpace.

      I just hope he can get his domain back quickly.
    • 10GunSalute, on 12/25/2007, -4/+4A "CSS vulnerability"? Are you kidding me? Some "computergod" you are
      • phatvolvo, on 12/25/2007, -1/+7he means XSS, Cross-Site Scripting.
        • j4200, on 12/26/2007, -0/+2He means he's a tool. I'm sure he thought it was a CSS vulnerability actually. Probably doesn't know the first thing of XSS.
      • ZippyV, on 12/25/2007, -0/+6Not Cascacing Style Sheets but Cross Site Scripting.
  • kmckanna, on 12/25/2007, -0/+25I admire that he won't pay anything to a criminal for it back. Most people would simply buckle down to it, but he is obviously a part of the select group who want to destroy crime like this by not feeding those people what they ask for so they have a reason to do it again.
    • nazadus, on 12/26/2007, -1/+7Or perhaps he's not foolish enough to use some random escrow service.
      Many of those services are fake and just steal your money. If the dude stole your website, would you trust him on any other site?
      • j4200, on 12/26/2007, -0/+1Even if somehow he could be trusted, I still wouldn't give him a dime. That is the reason David is not doing it either. He repeatedly says it. Thieves deserve not to be bargained with. Even if it costs him $1500, to only just START the process even, he's going to fight this guy in court. You must be one of those people that just take personal attacks with a grain of salt and let people walk over you repeatedly. If that suits your style of life so be it. You must learn to realize that not all people are like this though. Some people have strong principles and thievery is one of those thorns that just jab real hard in some people's sides.
  • Malakin, on 12/25/2007, -5/+21The easy way to avoid similar future hacks is to use the Firefox extension noscript. Noscript disables javascript on all web pages unless you allow it to run.

    Another defense against crackers getting your password is to go through an encrypted proxy anytime you connect to an unsecure network such as an open wireless network. This won't help against the javascript attack, but will prevent people from sniffing your password over the network.
    • Malakin, on 12/25/2007, -1/+9Why the hell would people digg me down? Is giving advice on securing your passwords frowned upon by some?
    • computergod, on 12/25/2007, -1/+5Welcome to digg.
    • supz, on 12/25/2007, -0/+6Parent = Dugg up... For those who aren't familiar, NoScript is like a firewall for web-level plugins and features. It's default deny, so by default no web page is allowed to execute javascript, flash objects, java plugins, etc, without you allowing it. It's all configurable, and frequently updated.

      I use NoScript on every computer I have and make sure to only allow javascript from trusted domains. You can also permanently blacklist certain domains, like doubleclick.net, etc, to never even show them as an option.

      www.noscript.net
    • mcduckov, on 12/26/2007, -0/+2It also blocks cross-site scripting attacks (XSS) which is, I think, what was used here. Noscript, flashblock and filterset.g are absolute must-have extensions.
  • shredomatic, on 12/25/2007, -35/+12Buried for being an idiot and using gmail for your business.
  • twinklyJesus, on 12/25/2007, -24/+5Oh no, a blogger got screwed! This must never happen again! All hail our new blogging overlords!

    (or just call him a WAAAAAAMbulance!)
  • bubbles19518, on 12/25/2007, -17/+8lol thats not how they hacked him. He logs onto an internet cafe in India and is surprised when his gmail gets hacked? Some needs to show him the beauty of https://
    • abhim12, on 12/25/2007, -1/+1thats not correct...read this http://sphinn.com/story/20117 and carefully read the comments where david says that it was not through a cyber cafe
    • terath, on 12/25/2007, -0/+4Someone needs to show you the beauty of a hardware key logger. Cyber security is only as good as physical security.
    • computergod, on 12/25/2007, -2/+1Yeah, not like you can do a MITM attack on SSL. *runs away, laughing*

      Seriously though, there are commercial products out there that do that. The tried and true way is still VPN.
    • dood, on 12/25/2007, -0/+2This has nothing to do with socket-level encryption.
    • SlimFastForYou, on 12/25/2007, -1/+7Buried for inaccuracy. The hack started the day he left, not when he was in an Indian cyber-cafe. Besides, chances are if the hacker used a Ft. Lauderdale, Florida IP address, he is American, not some Indian lurking in a cyber-cafe.
    • cyberoidx, on 12/26/2007, -1/+3I dont know why bubbles19518 is being burried.

      If you were Indian, you'd know the amount of crapware installed on Indian Cybercafe's. Any other semi-scrit-kiddie knows how to bypass obnoxious security software, install keyloggers and walk out.

      Personally, I never access the internet from someone else's computer, or an unsecure connection. First hand experience with keyloggers.
      • j4200, on 12/26/2007, -1/+2Because his gmail wasn't hacked from a cyber cafe? They already had the filter set up before he left on his trip
  • grimward, on 12/25/2007, -12/+7I can't really feel any sympathy for somebody that got hacked like this. David: You have only yourself to blame for this.. why? First of all, not only do you logon to your web mail through a possibly compromised computer at a net café somewhere, but you also do so with a system that allows scripts to be run as per standard. Look at this as a very expensive first lesson in internet security, nothing is safe until you MAKE it safe.
    • miniboie, on 12/25/2007, -0/+13He logged into an internet café AFTER all this crap had happened. The support ticket to redirect the URL was filed on the exact day he left for India so it most likely couldn't have happened when he was in India.
      • abhim12, on 12/25/2007, -1/+0read this http://sphinn.com/story/20117 and carefully read the comments where david says that it was not through a cyber cafe...miniboie you are right
      • grimward, on 12/25/2007, -0/+1*tells self to RTFA properly* I stand corrected on the part of the online café logon!
        But I still maintain that he wouldn't have been subjected to this had he properly disallowed scripts globally, exploits need scripts to function, that simple. Do note that I don't hold Gmail unresponsible, they slipped up too, but as a user it's up to YOU to keep your data safe, and trusting an online free service such as gmail to keep you safe is about as responsible as to hire a bum to water your plants while you're away. The article author even mentions that hindsight is 20/20, which sort of negates his whole article, he slags Gmail for his own shortcomings and then when faced with his own shortcomings he cops out with "hindsight is 20/20" well wouldn't the same apply for Gmail then? The guy's a hipocrite and this proves it.
  • Chaulis, on 12/25/2007, -1/+12This just happened to a bar owner friend of mine. He came to me asking for help, and from what I've seen, it's the same guy who did this one. If this helps
    http://lockerroomsaloon.com
    for added evidence that this guy does this for a living, and quite constantly.
    • kkkkk, on 12/26/2007, -0/+4Have you left David a comment? I think it'll be a stronger case shall he wants to take this to court. This is organised crime!
      • j4200, on 12/26/2007, -0/+1Not exactly organized crime.
        http://www.rcmp-grc.gc.ca/organizedcrime/what_e.ht ...
        There's the international definition there as well. Though it's possible this could qualify, the information at hand right now does not justify the title. Organization would also imply that the criminal is somewhat smart. Judging by the guy's emails, he doesn't seem to be too sharp.
  • ronk, on 12/25/2007, -1/+14Would would be great is a firefox plugin that allows you to selectively disable cross site queries. This way one can disable cross site requests to gmail, hotmail etc. Thoughts anyone?
  • l00s3r, on 12/25/2007, -14/+4Look, don't click links in your email. This is the year 2007 you had probably a decade to figure this out.
    • HigherLogic, on 12/25/2007, -1/+4RTFA. Dave didn't click a link, there was a vulnerability in Gmail which allowed a person to add a mail filter to an actively connected Gmail account when you visited a page with the exploit on it.
    • omgwtfwallhack, on 12/25/2007, -1/+9He didn't you ***** idiot. This is the year 2007, learn to read.
    • icedevil6, on 12/25/2007, -3/+1And if you read the write-up you would know that has nothing to do with the vulnerability.
      • rojano17, on 12/25/2007, -1/+1Why would you comment on something you haven't even read.
        • redwallhp, on 12/26/2007, -0/+1I don't know. (now I'm going to read your comment)
  • MWeather, on 12/25/2007, -13/+7Surely he means Google Apps Gmail, which he pays for, and not plain old Gmail, which can't be used for business purposes.
    • liquidgecka, on 12/25/2007, -1/+0Didn't work for google apps. OR rather, was much, much harder to work. Google apps use a url like: http://mail.google.com/a/foo.com/... which means that the URL would need to be crafted custom for each and every domain. This only worked because he was using gmail with no apps support.
      • redwallhp, on 12/26/2007, -0/+1I'm guessing he uses GMail to access his POP/IMAP inbox.
    • Zoness1, on 12/26/2007, -1/+6Comment buried because you said you have to pay for Google apps, untrue.
      • j4200, on 12/26/2007, -0/+1buried because he's a tool spreading fud
  • karolisonline, on 12/25/2007, -11/+5run ping in your pc background: ping -t davidairey.com ; digg community can help, all diggers would make huge amount of requests, server will crash and cracked account will be shut down by hosting company.
    • Qumahlin, on 12/25/2007, -0/+2um...what would that accomplish? So the Domain would no longer truly "work", but the hacker would still win. David still wouldn't have his domain and the hacker still wouldn't have lost a thing...
    • SebHughes, on 12/25/2007, -0/+1You forgot the mention the packet size, i'm sure it would be the worse DDoS EVER.
    • HouseCentipede, on 12/26/2007, -0/+1They changed it to resolve to localhost, as of now.
  • Jahweh, on 12/25/2007, -0/+9lucky for Google, Gmail is beta
    • grimward, on 12/25/2007, -2/+1*laughs his ass off* Oh my, that makes my point up there somewhere even more fun :D
  • Raian, on 12/25/2007, -4/+50Rather than pay $1500 for a court case-- just pay $500 to an Indian hit man.
    • joel8x, on 12/26/2007, -0/+8He lowered it to $250.00 If I were him, I would have paid the $250 and still gone after him legally. It seems like blackmail would be a huge offense as well.
      • elint6, on 12/26/2007, -0/+6Yup, after the payment, it's considered extortion, too, and not just blackmail
  • sarge96, on 12/25/2007, -12/+1Just have to say, you'd be stupid not to notice there's a new filter in your Gmail, it's listed down on the right sidebar.
    • alanthing, on 12/25/2007, -0/+10You're thinking of labels, not filters.
  • ScottDaMan, on 12/25/2007, -4/+16Don't use gmail for business?
    • zwaldowski, on 12/25/2007, -3/+4Doesn't that kind of defeat the point of Google AFYD?
      • LightSpeed4, on 12/26/2007, -2/+1youre a google fanboy, go away
        • zwaldowski, on 12/26/2007, -0/+2Oh, really? There's a difference between "fanboy" and "knowledgeable user."
    • liquidgecka, on 12/25/2007, -0/+0This wouldn't work nearly as well as if it was a Apps based thing. This hack relied on a request to mail.google.com/blablabla working and would need custom urls to make it work with GAFYD based email systems.
  • lonewalker, on 12/25/2007, -12/+1Internet 101, never visit links from emails, especially some unknown website
    • zwaldowski, on 12/25/2007, -1/+4Listen you... I'm not even going to say it. RTFA first.
      • lonewalker, on 12/26/2007, -1/+1Hah.. you just assumed i didn't read the article first.

        >The victim visits a page while being logged into GMail. Upon execution, the page performs a multipart/form-data POST to one of the GMail interfaces and injects a filter into the victim’s filter list.

        Visits a page.. huh from where ? tell me the URL popped out of thin air on his screen? email of course
  • SavageBlackCat, on 12/25/2007, -17/+8What n00b runs a business using Gmail?
    • zwaldowski, on 12/25/2007, -0/+3All those enterprises and schools using Google Apps for Your Domain.
  • secureslash, on 12/25/2007, -3/+2sorry, that link http://www.gnucitizen.org/util/csrf?_method=POST&_ ...
    created a new filter in my gmail account. it works without any problem. http://www.gnucitizen.org/blog/google-gmail-e-mail ... thank you gnucitizen for this great finding.
    • cyberoidx, on 12/26/2007, -0/+1And Gnucitizen just felt the digg effect.
  • DivisibleByZero, on 12/25/2007, -9/+2Pretty clever hack on their part, but it's what you get for thinking that ad for discount viagra was legit.
  • vonskippy, on 12/25/2007, -8/+2What, you mean that using a free email server that has NO support via phone and lets script kiddies capture whatever cleartext data you send or receive is a BAD idea? Go Figure.
    • liquidgecka, on 12/25/2007, -1/+0Umm.. httpS:.. if you are using secure http it is safer than virtually all other options. Hell, it might even be better than keeping mail on your laptop statistically speaking. The odds of having your laptop stolen are much less than the odds of having your gmail account hacked.
      • redwallhp, on 12/26/2007, -0/+1httpS is used by default. Go to gmail.com and look at the URL.
  • fartbuttes, on 12/25/2007, -0/+2How was David's hosting account compromised in the first place? He was able to log in, so the password wasn't changed. Not only that but here are the filters applied to his Gmail account:

    Matches: transfer-approval.com
    Do this: Forward to ba_marame_pooli@yahoo.com, Skip Inbox, Delete it
    Matches: from:(transfer-approval.com)
    Do this: Forward to ba_marame_pooli@yahoo.com, Skip Inbox, Delete it

    Nothing about passwords. In order to file the ticket for domain change to his web host the "hacker" would have to have been logged in to David's web host panel. Am I missing something here?
    • tekrat, on 12/25/2007, -0/+1Suppose you leave XYZ email archived on GMail that has your username and password. Someone could run a filter on all archive email and viola, get your password.
      • fartbuttes, on 12/25/2007, -1/+3I still don't see how it happened exactly. He would have had to have visited the same compromised website multiple times in order for the thief to hide those kinds of filters which were not present when David check his GMail. Also any webhost that sends you your password in plain text as opposed to making you reset it is very dumb and David was asking for this in my opinion, if indeed your scenario is what happened. Not only this but if the "hacker" had complete access to David's account through a password why did he stop there? Why didn't he change David's password and administrative email and completely take over his account? Could've been just a lazy move on the "hacker's" part but nonetheless seems odd. I suppose he may have wanted David to keep access to the account so he could buy his domain name back, then again the thief could have upped the ransom by archiving David's site then deleting all of his databases. (Sorry but David does not seem the sort to backup his databases I could be wrong though, plus the thief should have assumed that he didn't have a backup)
      • pw201, on 12/27/2007, -1/+0Yep, it doesn't make sense. The two vulnerabilities in Gmail were fixed late in September. One of them seems to only allow you to install filters, with the other it's not so clear that that's all you can do. Still, did the baddies already have access to his Gmail account in September? If you have someone's passwords and want to steal domains, the obvious thing to do is take it out from under them as soon as you can, in case they get around to changing the passwords. You can prevent the mark from knowing until it's too late by setting up filters, certainly, but that doesn't prove that the bad guys got in using a vulnerability which happens to let you set up filters.

        I too was going for the "Indian hackers in the cybercafe with the keylogger" solution until I read it again and saw it happened just as the victim went away. Still, it's far from clear that these particular vulnerabilities were the ones the bad guys used.
    • Davers, on 12/25/2007, -0/+9"Forget your password? Click here"
      "Enter your email address and click submit"

      Password gets sent to your email from transfer-approval.com.
    • kweeky, on 12/25/2007, -0/+5The domain was transfered away from his registrar. The old registrar can't do ***** once it's in the hands of another registrar (hence the whole section about EPP codes)
    • OhHarrow, on 12/25/2007, -0/+2To transfer a domain name, all you need to have access to is the admin contact for your domain.
    • elint6, on 12/26/2007, -0/+1They guy didn't change his password so he could have a communication channel to blackmail with.
  • tekrat, on 12/25/2007, -8/+5This sounds like Google maybe liable since this is a know security flaw and theres no apparent corrective action taken. Hey Google, it would be in your best insterest to get involved now!
    • Davers, on 12/25/2007, -1/+3Yeah, because I'm sure it never says in the agreement you read when you sign up for gmail "Google can not be liable for any damages incurred while using gmail"
    • grimward, on 12/25/2007, -1/+3Read above, gmail is beta :D
    • liquidgecka, on 12/25/2007, -1/+3Umm.. No corrective action taken? WTF? They fixed the bug. They didn't randomly go through and silently erase a bunch of filters. That is the only reason it went this far.
    • gamebittk, on 12/26/2007, -0/+1It shouldn't be Google's fault. It's their free service, and users agree to their TOS.
  • Synapse84, on 12/25/2007, -1/+9http://207.36.162.100 = XAMPP 1.6.3a
    which is vulnerable according to milw0rm.
    http://www.milw0rm.com/search.php?dong=xampp
    • shannondoko, on 12/26/2007, -1/+5Which further proves that it is probably a zombie, and not the attackers personal computer.
  • phatvolvo, on 12/25/2007, -3/+10dugg for using the XP Zune theme.
  • Davers, on 12/25/2007, -0/+1Well, considering this cracker lowered his price significantly, he's probably already getting nervous. My guess is that this story will have a happy ending.
  • Fetching more discussions...
    Show 51 - 100 of 112 discussions
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.