Email ID is set as Cookie Clear TEXT and Not Cleared on closing the browser
Risk Factor : Medium (Why Medium please read below)
Reported Date : Feb 13th , 2012 ( Reported to Google Security Team )
To whom ?
TO ALL USERS AND ORGANIZATION ACROSS THE WORLD
- Please request your users to click on “Logout” and not close the browser.
- I am working with Google Security team and will let you know once this is fixed.
The following cookie is set as a persistent cookie.
Name : gmailchat
Value : email ID.
Environment :: For both regular users and also Google applications( Corporate accounts )
Description
- An employee traveling checks his account at Airport closes the browser. Even though he closes the browser the cookie gmailchat is still present.
- A user trying to access his account in a Internet station, checks his/her email and closes the browser. As the cookie is still present in the browsers, this can be stolen and leaves traces of his/her account in the browser.
- Corporates/Enterprises might not want their email to be exposed when using gmail through cookies.
Steps to Reproduce the issue
Part 1
1. Clear all the cookies in Firefox
2. Sign-In to gmail ( http://gmail.com )
3. Close browser
4. Open a New Browser
5. Check the cookies and you will see you are not Logged-In and the cookie named gmailchat is present in the users browser. [ The Screenshot below will show you the same ]
TO ALL USERS AND ORGANIZATION ACROSS THE WORLD
- Please request your users to click on “Logout” and not close the browser.
- I am working with Google Security team and will let you know once this is fixed.
Update ::1 Oct 24th 2012
The last i heard from them, they are still working on it and no ETA
Yes this is a good catch. One of my friend checked her email in library she just closed the browser instead of logout. She is getting lot of junk emails. I thought where these guys got her email. I think this is the reason.
I can’t reproduce this. GMail deletes the cookie when I log out. Here’s the header.
set-cookie:gmailchat=EXPIRED; Expires=Mon, 17-Dec-2012 01:09:51 GMT; Path=/mail/u/0; Secure
Paul,
As stated above here are the steps to reproduce
1. Login to gmail.com
2. Close your browser ( Close all browsers )
3. Open a new browser go to gmail.com
4. You will get re-directed to the the login screen as you are logged out of gmail.
5. Check your cookies look for gmailchat and it will still be there.
Thanks, Nag