Google report GMail problem as phishing
One year after my domain name was stolen, Google’s Chris Evans has published a blog article reporting the theft as a phishing scheme, whereby the victim is tricked into sharing their email login details.
Several news stories referenced a domain theft from December 2007 that was incorrectly linked to a Gmail CSRF vulnerability. We did have a Gmail CSRF bug reported to us in September 2007 that we fixed worldwide within 24 hours of private disclosure of the bug details. Neither this bug nor any other Gmail bug was involved in the December 2007 domain theft.
I’m sure Chris meant November.
Google’s blog post came in response to the more recent theft of MakeUseOf.com. Aibek, the MakeUseOf owner, has subsequently, and thankfully, had his domain name returned.
I like to think I’m cautious enough not to open a strange .exe email attachment, nor enter my login details on a fake website, but if that’s what happened, so be it.
I do, however, find it a little odd that a thief would gain access to my GMail account, then choose to add email forwarding filters rather than simply change my password, thus locking me out. I published what I believed happened in my previous GMail hack article.
Regardless, I’m glad Aibek of MakeUsOf had his domain name returned, and that Google have publicly acknowledged the previous Gmail CSRF vulnerability, even if it is over a year after the incident.
Aibek and I are two of the lucky ones. Many other domain theft victims contact me asking for help. Sadly, there’s little I can do except refer them to my account of what happened.
Related posts on this site
12 spot-on reader comments to “Google report GMail problem as phishing”
What are your thoughts?
Simply fill in the form below. All comments are moderated so you may experience a short delay before your comment appears. Comments should be respectful of other voices in the discussion. I reserve the right to edit or delete comments at my discretion.
I always find it staggering to see the 547 comments left on that article of yours especially when it comes up under your related posts section. I can’t believe it happened at such a bad time for you as well. But as always thanks for sharing, I am sure many people have and will check their filters more frequently.
You know this is scary stuff!
I think I’d puke if my site was hacked. You’ve given us some great advice including the advice about using images/myimage.jpg instead of http://www.davidairey.co.uk/images/myimage.jpg
I am also doing the full domain, and you’ve made me realise thank you, that this yes is flawed and doesn’t prepare for the possible need for a domain name change.
The support received was fantastic. A great testament to the power of community. I certainly check my filters more frequently.
Amanda,
There’s a negative aspect to using only the image directory i.e. without the main domain, and it involves web traffic from image searches. I’ve actually re-added most of the full code to my images (a painstaking task) in order to boost those visits. Pros and cons though.
Really? Because I get tons of traffic from image searches anyway, I must be doing something else wrong! :)
Your experience was truly illuminating in SO many ways. I find it amusing that a year later, Google is saying “No our fault!”
They say wisdom is learning from someone else’s experience so I’d like to personally thank you for sharing what happened. It’s truly changed the way I handle my own domain registration information issues as well as how I work with clients.
When you Tweeted about this Gmail thing last week, I was questioning it because I’m sure you’re a savvy web/email user, David. I can’t imagine you being suckered into giving out your login information like that. And it’s quite curious why it took Google so long to address the issue… seems fishy (no pun intended).
Regarding the images/myimage.jpg thing, I think WP automatically adds the rest of your domain in there. It’s like with linking. If you don’t put the http:// in there first, WP automatically affixes http://yourdomain.com to the beginning. Ever see those links that go http://yourdomain.comwww.linktoanothersite.com? That’s what’s happening. I believe it’s the same with images, no?
I think that large organisations like ebay, paypal, etc should try to do more to make it harder for people to be tricked in to giving away details they shouldn’t. The situation will only get worse as time goes on unless an intelligent solution is presented. I once received an e-mail from a fake paypal site and the sneaky crooks had recreated the homepage of paypal exactly as it is to try and get people’s details. I was very impressed by this but at the same time horrified. I reported the site but am sure they will just set up another one. The best advice I received was to never click on an e-mail link to get to a site, instead type the url directly into your browser.
Haha. I’m sure you’re doing lots right. Perhaps I’ve been wrong to go re-adding all those http://www.davidairey.com lines before my /image/image.jpg code. Due to the time it took, however, I’m sticking with the opposite.
Kathy,
I think quite a few others found the documenting of my experience beneficial, which is great. I’m curious how it affected your client practices.
Lauren,
It is quite phishy ;) even though I can’t rule out the idea I was tricked. I hope not, but it is possible.
Not 100% sure about those image links. Maybe there was another reason why I re-added the full code, such as images not showing in RSS feeds. Hmmm. Can’t remember now.
bubble,
I’m sure there are steps that can be taken to improve security in GMail. For instance, you could have to re-enter your password before applying filters to the account, which would prevent cross-browser script attacks. That said, they’re apparently all fixed now.
Hmm, scarey stuff, especially when your entire livelihood is tied into your website(s), I don’t know what I would do if I was to lose control of my email, domains or PayPal account - it would pretty much be the end of the world for me, or at least for my career.
Don’t know how to say this - congrats on the link from Google Blog - pretty bad a**
Hope nothing like this happens again
Scary stuff indeed. I think the internet is quite scary though when you rely on it for income… there is always going to be an element of lack of control when it comes to SEO. Google + others only need to change things and so may peoples world is suddenly turned upside down.
Thanks David, your story as well as the others has made me think twice about where and how I check my email, as well as other secure actions.