« Backlog | Main | Our Guru is #5 !! »

November 18, 2004

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83452288869e200d834568be669e2

Listed below are links to weblogs that reference Gmail security Flaw /RSS ??:

» re: What we will write about from msnsearch's WebLog
[Read More]

» re: Crawling the Internet... from msnsearch's WebLog
[Read More]

Comments

Americantechie

Hello Peter, thanks for linking to me. Here is my own interpretation of what is going on.

http://www.americantechie.com/index.php?id=P13

At first glance my last post may look like a Gmail security exploit. I
would like to stress this is not the case. Take a look at an example
of one of the feeds...

http://google.dirson.com/scripts/gmail.pl?u=****&p=****

This is a Perl script that resides on the dirson.com domain. The
script appears to access the Gmail account and in turn provide an RSS
feed. This is a very simple thing to do, but not a good idea in my
opinion. This goes way beyond privacy concerns from ads delivered by
Gmail based on email content. My concern here is not that this is any
kind of security breach, but rather that this is another example of
private information being carelessly thrown around. Bloglines users
have to realize if they have a public account, their feeds are open
for world to look at. A desktop reader would not have these problems
with the above mentioned service. I am also a little surprised the
creator of the above script did not think of this possibility. All
Gmail accounts are accessible as an RSS feed, but they are secured by
encryption. With the popularity of the idea of RSS streamed Email I
can see this causing some problems in the future. As a side note I
believe receiving email via an RSS feed might create habits which
result in much wasted bandwidth. An email feed might make someone more
prone to a high rate of refreshing of the aggregator. If anyone else
has anything to add please let me know.

John

/pd

John, is there any possiblity that dirson.com is a offshore for google? I know that they opened a Banaglore office (India) and I also know that certain companies have outsourced R&D coding to Brazil !!

Remember that GoogleCodeJam was won by a Brazilian !! :)-

IMHO, it's not so clear cut as you stated. Yes, aggregation issues appear to flushing on pubstub.. this is certainly slopplish coding... by any means.. even at deep deep alpha or even primary beta !! But to be publically visable..big no no ..in my world !! :)-

More follows, as I try to find my way thru. In fact, I am seeing nearly over 40 odd, new gmail accounts that I can obtain RSS.. but its looks to be all in brazlian code ??..I'll pass :)-

Americantechie

Given my lack of knowledge on the issue I am not able to say much about what is going on here with authority. The bottom line is that once Gmail gives you an account you can do whatever you want with the information. I think dirson.com might have made the script to service demand for an RSS feed before Gmail provided one. I am pretty sure this would be a simple thing to do as it is only a Perl script. If you had the script you could provide this service yourself on your own webpage. Good job in finding more accounts. If you are able to find other search strings that uncover more accounts, or if you find out more information on the issue post them on your site or let me know.

The comments to this entry are closed.