Google Talk Desktop Client - Security Lapse

As I exploited a rare server lapse in my office's network settings, the thought of logging in to GTalk crossed my mind, and I gave in to the temptation. Along came another thought - that of sniffing at the HTTP packets leaving my machine, and I fired up my copy of HTTP Analyzer to do the same. What I found out was not very reassuring.

This is the scene: you have a Google Talk desktop client which you use to log on to Google's chat service. You type in your username and password, and click on sign-in. You wait a few moments, and find yourself signed in. All nice and fine. What you wouldn't know is that, unlike your GMail account, login to which happens through a secure sockets layer (SSL) in addition to client-side encryption, the GTalk client sends your login credentials in clear-text, or the HTTP equivalent of clear text, HTML-encoded text. Of course, as any programmer knows, this is trivial to decode. All you need is a scientific calculator which can do hex and / or a quick Javascript program.

I looked through the Google Talk website for a place to report this security hole and, to my chagrin, couldn't find any. I looked at various Google Groups to see if they have a place where I could report this finding, but I couldn't locate any. A Google search turned up only this: http://www.nta-monitor.com/posts/2005/08/googletalk.html, which is very closely related to my finding. In fact, I was appalled that such a closely related problem had been left unattended for more than three years!

Should you be worried?

No, not unless you surf the Net from an unreliable or unknown cyber cafe / browsing center. If you're logging on from home, then you should be worried only if you're the victim of a man-in-the-middle attack (not very likely, realistically speaking). In that case, your Google Account password would be up for grabs, and it would be time for you to either switch to the GTalk client in GMail, or the Talk gadget, or in the worst case, a new Google ID.

If you're a Google employee reading this post, and would like more information, you can reach me through my blog. However, my guess is that your colleagues would be able to give you more extensive inside information :-)

The secret of how I am going to be a genius

I'd like to be remembered as a genius, or at least someone with an exceptional intellect (it's another matter that I may not possess one). So, it stands to reason that I have to achieve something in my lifetime that will give people a reason to think so about me. Of late, however, I'm more and more vulnerable to the charms of Morpheus, who insists on giving me company no matter where I am, what I am doing, but his presence is not utterly devoid of advantages.

I have observed this rather strange phenomenon: when I am doze off while reading something, my mind seems to continue to read the sentence that I nodded off at, but with a difference: it supplies its own words, different from that in the text, so much so that the striking difference and the ill-logic sometimes jars me awake! I believe that this is going to lead me to a stupendous discovery one day.

At least, I like to think so; how else can I explain away sleeping in the office, right at my desk? ;-)