As I exploited a rare server lapse in my office's network settings, the thought of logging in to GTalk crossed my mind, and I gave in to the temptation. Along came another thought - that of sniffing at the HTTP packets leaving my machine, and I fired up my copy of HTTP Analyzer to do the same. What I found out was not very reassuring.
This is the scene: you have a Google Talk desktop client which you use to log on to Google's chat service. You type in your username and password, and click on sign-in. You wait a few moments, and find yourself signed in. All nice and fine. What you wouldn't know is that, unlike your GMail account, login to which happens through a secure sockets layer (SSL) in addition to client-side encryption, the GTalk client sends your login credentials in clear-text, or the HTTP equivalent of clear text, HTML-encoded text. Of course, as any programmer knows, this is trivial to decode. All you need is a scientific calculator which can do hex and / or a quick Javascript program.
I looked through the Google Talk website for a place to report this security hole and, to my chagrin, couldn't find any. I looked at various Google Groups to see if they have a place where I could report this finding, but I couldn't locate any. A Google search turned up only this: http://www.nta-monitor.com/posts/2005/08/googletalk.html, which is very closely related to my finding. In fact, I was appalled that such a closely related problem had been left unattended for more than three years!
Should you be worried?
No, not unless you surf the Net from an unreliable or unknown cyber cafe / browsing center. If you're logging on from home, then you should be worried only if you're the victim of a man-in-the-middle attack (not very likely, realistically speaking). In that case, your Google Account password would be up for grabs, and it would be time for you to either switch to the GTalk client in GMail, or the Talk gadget, or in the worst case, a new Google ID.
If you're a Google employee reading this post, and would like more information, you can reach me through my blog. However, my guess is that your colleagues would be able to give you more extensive inside information :-)
1 comment:
thanks for the tip.
Post a Comment