Gmail Anonymity Issue

The webmail service provided by Google, Inc, named “GMail” or “Google Mail” is a fully-anonymous mail exchange system when it talks to other gmail-based domains.

UPDATE (after 1 day): Hey, I’ve received one comment saying that I should see this as an improvement on Privacy. Yes, of course! But I strongly believe in OPTIONS. This should be configurable, at least. Additionally, when you use webmail, the client is the web-browser, not the remote webmail software. It’s YOU from YOUR internet connection using the remote service. It’s not crazy to think your IP should be added to the headers 😉

In any case, has anyone bothered to read my last comment?: “We’ve been looking for fully anonymizing SMTP servers for decades, and now we discover any gmail.com mail user is vulnerable.” This is like saying “Hey, I like this, but it can also be used by attackers to shield themselves when scamming people” (hence, “any gmail.com mail user is vulnerable”). I love privacy, don’t get me wrong! I wouldn’t be talking about http://vpnmail.buanzo.com.ar if I didn’t.

Google has been notified of this issue, but the response was “Sorry, but we do not understand your issue”. More information was provided, but the same response was received.

I do not consider this a High Risk issue.

SYNOPSIS

Most webmail services provide means to obtain full-headers of any eMail message stored in the user’s folders. Inside those headers we can usually find at least one public IP addresses, that relates some way or another to the mail’s sender.

This is not the case with any gmail-to-gmail eMail message.

In the case of Gmail, full headers can be seen from the “Show Original” action link provided in the “More Options” menu of an already-opened eMail message.

For example, if I send an email from buanzo AT gmail.com to buanzo AT gmail.com, I get something like this:

X-Gmail-Received: 9c6f2229aa1a91477bada005cd389e212c2f7454
Received: by 10.78.83.4 with HTTP; Wed, 26 Jul 2006 11:46:08 -0700 (PDT)
Message-ID: <6f7daea60607261146y43fd4e83gf7db10e0b0d32bf1@mail.gmail.com>
Date: Wed, 26 Jul 2006 15:46:08 -0300
From: “Arturo Busleiman”
To: buanzo@gmail.com
Subject: test
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_Part_290096_27368964.1153939568233″
Delivered-To: buanzo@gmail.com

——=_Part_290096_27368964.1153939568233
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

test


Arturo ‘Buanzo’ Busleiman / www.buanzo.com.ar

——=_Part_290096_27368964.1153939568233
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

test


Arturo ‘Buanzo’ Busleiman / www.buanzo.com.ar

——=_Part_290096_27368964.1153939568233–

As you can see, no public IP address appear. Only private, 10/8 IP addresses.

Of course, email sent from a different account to myself doesn’t show any public address.

Additionally, I host buanzo.com.ar’s email using the Gmail for your Domain beta-service. Sending eMail from the web interface of buanzo.com.ar (Gmail-based) to gmail.com and vice-versa shows the same vulnerability.

We’ve been looking for fully anonymizing SMTP servers for decades, and now we discover any gmail.com mail user is vulnerable.

The vulnerability disappears if sending eMail through a MUA like Mozilla Tunderbird or any other SMTP client.

Transcript of my communication with Google regarding this issue. I replied to this eMail, too, two days ago, and received the same reply. I replied to that and asked what they didn’t specifically understand.


Date: Wed, 19 Jul 2006 13:41:00 -0700
From: “The Google Team”
To: “Arturo ‘Buanzo’ Busleiman”
Cc: support@google.com, security@gmail.com
Subject: Re: [#66078110] Anonymity Issue with GMAIL
Message-ID: <#14.3f0459e.39378bd3.44be98dc.1@google.trakken.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=”iso-8859-1″
In-Reply-To: <44bd0754.20905@buanzo.com.ar>
User-Agent: Neotonic Trakken/frontend-2.35.6
Hello,

Thank you for your message.

We’re happy to answer any questions you may have about Gmail, or your
Gmail account. However, we need further clarification from you before we
can help. Please reply to this message and include any additional
information that you think might help us address your specific concerns.

Sincerely,

The Google Team

Original Message Follows:
————————
From: “Arturo ‘Buanzo’ Busleiman”
Subject: Anonymity Issue with GMAIL
Date: Tue, 18 Jul 2006 13:07:48 -0300

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Dear people at Google/Gmail,

I’ve been a long time user of your services (google, gmail, gmail for
your domain, orkut, adsense,
blogspot). I’m user “buanzo@gmail.com” or “buanzo” on your services.

Yesterday I was helping out on a security issue with a friend. I needed
to analyze IP addresses of
certain emails my friend received, and test against an identity theft.

The sender and receiver (the “attacker” and my “friend”) are both
@gmail.com.

So, when I opened up one of those eMails using the Gmail web interface,
then I clicked on “more
options” for that sender, then “Show original”, I noticed NO public IP
address at all. Only
10.0.0.0/8 private network addresses (internal gmail/google network).

In any case, it seemed that this behaviour ONLY happened when email from
sender@gmail.com via
web-interface to recipient@gmail.com was sent.

So, for testing, and before sending this advisory to you, I sent an email
using the web interface
for gmail account buanzo@gmail.com to my wife, some_user@gmail.com

Then I oppened some_user@gmail.com’s account on my 2nd computer, and this
is the message source as
provided by “Show Original” button.

As you can see below, the 3rd Received line is the last one, and is “by
10.78.83.4 with HTTP”. WITH
HTTP -> that is me using buanzo@gmail.com’s web interface. See below for
more details.

X-Gmail-Received: 95f51f3b274bfdc2c834d221f18347acf46e081d
Delivered-To: some_user@gmail.com
Received: by 10.70.39.10 with SMTP id m10cs137572wxm;
Tue, 18 Jul 2006 08:58:49 -0700 (PDT)
Received: by 10.78.160.2 with SMTP id i2mr1631532hue;
Tue, 18 Jul 2006 08:58:46 -0700 (PDT)
Received: by 10.78.83.4 with HTTP; Tue, 18 Jul 2006 08:58:46 -0700 (PDT)
Message-ID: <6f7daea60607180858v5e6c5655w6c17069a2474b5ac@mail.gmail.com>
Date: Tue, 18 Jul 2006 12:58:46 -0300
From: “Arturo Busleiman”
To: “Amor de mi Vida”
Subject: te amo
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=”—-=_Part_45900_33494322.1153238326171″

– ——=_Part_45900_33494322.1153238326171
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

te amo

– —
Arturo ‘Buanzo’ Busleiman / www.buanzo.com.ar

– ——=_Part_45900_33494322.1153238326171
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

te amo


Arturo ‘Buanzo’ Busleiman / www.buanzo.com.ar

– ——=_Part_45900_33494322.1153238326171–

I believe this is a serious issue that turns any @gmail.com user into a
victim of lots of different
email-based attacks that one can’t analyze because of the “anonynimity” of
the attacker’s public,
internet IP.

Please return to me with comments on this issue.

Thank you very much for your attention.

Sincerely,

– —
Arturo “Buanzo” Busleiman – VPN Mail Project –
http://vpnmail.buanzo.com.ar
Consultor en Seguridad Informatica – http://www.buanzo.com.ar
Genetic – A multiplatform Gentoo Portage Frontend –
http://genetic.sourceforge.net
for f in www blog linux-consulting vpnmail; do firefox
http://$f.buanzo.com.ar ; done
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla – http://enigmail.mozdev.org

iD8DBQFEvQdUAlpOsGhXcE0RAqfLAJ4zuBaAmeqSaIn+M+tspWeQ77KHmACbBMD+
09pjXERkq/ugURkef+AvLAw=
=YUqc
—–END PGP SIGNATURE—–

Artículos relacionados:

Si te gustó este articulo, ¿ Porque no dejas un comentario a continuación y continuas la conversación, o te suscribes a los feeds y recibes los artículos directamente en tu lector?

Comentarios

me parece que no te entienden porque los yankies son mas “concretos” de ir al grano, vos vas con ejemplos y explicaciones. No es un problema idiomatico, sino cultural.
(Sin descartar mas vale que sea que lo haya leido un indio/chino/latino barato que no entienda nada)

Me olvidaba, tendrias que reformatear tu mensaje asi:

Descripcion del problema en uno o 2 reglones y luego pone todo el resto como “info complementaria”.

De esa manera se entiende que pasa y en base a eso mandan el pedido a quien entiende realmente (pensa que la primera linea de soporte deben ser de semi-robots que apenas reconocen lo que escribis para ver a quien le forwardean o que respuesta enlatada mandan). Si esas pesonas le queres hacer que deduzca todo tu razonamiento, vas mal. Porque si bien tu razonamiento es correcto, no es para cualquiera.

hi, i still don’t know how i’ve got into your blog, but…
I seems you have a huge problem with network theory, the ip that is registered in the e-mails it the client one, in this case the ‘client’ is you gmail server (and NOT you), and the receiver is the next gmail server in the mta load balancing system of gmail. So issue is NO issue. Is just your mistake.
On the otherhand if you claim to be a security people (as many other cheap security guys out there) you should start setting your mind into Security/Privacy and anything that would protect the privacy is an improvement instead a fault. (know I’m wondering why you fill your mouth talking about ‘tor’ anonymizing system. (which actually can be defeated.
I don’t wanna be rude, but you should seriously think *before* writting.
my 5 cents.

To TKC.. you are WRONG…

Users don’t use MTAs directly.

Before you can talk to a MTA, you MUST use a MUA (Mail User Agent). In this case, the AJAX gMail aplication acts as a MUA. At least we expect a “custom header” like Hotmail does.

Please read carefuly RFC2821 then we can talk about “network theory” and “security”.

You can begin reading this:
http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/s1-email-types.html

LG

Sorry, the comment form is closed at this time.