« Internet Explorer Download Zones Mix-up leads to XSS | Main | Celebrating 20 Years of Anti-Virus »

December 26, 2007



I actually am wondering if I've stumbled upon a vulnerability with the firegpg plugin for firefox using gmail. If you are inputing your plain text message into the javascript field in gmail, and lets say your message is a few lines or more, then gmail is automatically going to save a draft of your email - the one you want to encrypt - in plain text. It then saves this copy on its servers thereby circumventing the whole security process! SO what's the point?


A follow up to my previous comment: someone posted on the ubuntu forums that gmail uses ssl via https for secure login so all traffic would be encrypted. This may be true for anyone who might want to sniff in the middle, but once at gmail's servers the info is decrypted which allows curious third parties with access to gmail's traffic (i.e. law enforcement or government security agencies) access to such things as a saved draft which are not encrypted outside of the ssl algorithm. Can someone please verify this?


And I want notice the feature to disable auto-save is planed, but as you said it, https is a solution for the moment !

The comments to this entry are closed.

Follow us on Twitter

AppScan Free Trial

Try IBM Security AppScan software at no charge.

Become a Fan