Is There an Email Security Flaw in Google Gmail ?
The recent spate of domain thefts that has occurred and some of which was reported here on LinkMoney (dot org,) has caused me to revisit my Gmail account and analyze whether or not I want to make any changes in my email security settings or in the use of Gmail for secure information.
When you are thinking about setting up a web based email account and you start thinking about things like “google mail com” you will obviously come to the “Gmail Register” page. I have to admit, I Love Gmail. I was an early adopter and really loved the convenience of using Gmail accounts for all of my various and sundry Internet forays. It is very easy to set up. Once you obtain a Gmail address it is used throughout all of the Google domains, such as Adsense, Analytics, Calendar, Search, and on and on…
In other words, you open your complete identification and every single move to the Google bots. No problem as long as you don’t care about what information a giant all encompassing humongous network of computers, all controlled by one company, collects data on you, like forever…
I live a pretty clean legal lifestyle and don’t really have anything to hide. But, do I really want all of this stuff out there in the cloud completely columnarized and searchable by any one that has access to the data? I think not, but alas it is already too late for me.
That said, there are SOME things that I think might be better deleted from my Google history. I decided to start with the situation that made me delve into this train of thought to begin with. That is my association with GoDaddy.
In each of the recent cases of domain theft that was storied a plenty, like HERE: I Can Steal Your Website and HERE: Stolen Website Returned and dozens of other places, it was reported that in all cases that the GoDaddy account holders that had been compromised also had been using Gmail addresses.
Hmmm. Could it be a Gmail problem? Matt Cutts from Google said that their security division was looking into it, and a few days ago on one of the mail lists that I subscribe to there was an announcement purported to be from Google that there was no security flaw in Gmail.
Well I am going to tell you about one very scary flaw that I discovered this morning on my own machine, but first I want to continue with my first train of thought. So I decided that just in case, maybe it would be better to tighten things up a bit.
First, I changed my Gmail password, which hadn’t been changed in over a dozen or so years, maybe longer, ever since I had an account. Now that doesn’t sound too difficult but it is a pain in the butt for every time you login from a new source or an offsite computer, or check your account setting, or sign into Adsense or sign into Analytics, etc., you have to go through the whole procedure over and over. No problem, small price to pay if it makes you more secure right?
Second I went to GoDaddy and changed the password of my account there. Good, felt better. Don’t get too complacent yet.
Then I got to thinking, why not go through all of my old Gmail messages and filter all of the GoDaddy messages, then archive them somewhere, and then delete them all from my Gmail account?
Guess what? You can’t do that. There is no method that I have been able to find that allows you to bulk forward, or save to your hard disk, any archived messages. I checked in my control panel, online Google help, Gmail forums and anywhere else I could think of. As a matter of fact in one of the Gmail FAQs they specifically say that you can not do that. Bummer. That is not exactly a great feature Google. Duh.
So here is what I did for the past three hours. I created a Gmail filter for all mail that came from GoDaddy and created a command that will forward ALL FUTURE messages from GD to my https secure email address that came with my ISP hosting account. The operative word here is “future.” There is no way to bulk forward all of the previous messages.
Not wanting to be beat by this, I went through each and every previous message from GD and manually forwarded them to my ISP email account, and after I heard the reassuring little blunk sound from Outlook Express that a new email had been received I then manually deleted that Gmail version.
Now there were three pages of messages from GD so this took a while. I did not bother with the customer satisfaction surveys and the junk mail that GoDaddy constantly sends out, but all of the registration information, account names, passwords, etc., all went to my secure account. Then I deleted them from Gmail.
Now here is the flaw that I discovered when I started digging into this in the wee hours of this morning. I have many Gmail accounts. I have a couple of main ones that I use depending upon which hat I am wearing, but then there are many that were set up when I started a new website and wanted to have differing addresses for. Owning or administering over a hundred websites, this can become a quagmire.
Lo and behold as I was going down through the list of names of my Gmail accounts that I had set up, I saw one that I did not remember setting up, though it had a slight twinge of memory associated with it. Here is what I discovered. Someone that called them self Tamara Underwood with a Sierratel.com email address WAS IN MY LIST OF PERSONAL GMAIL ACCOUNTS! What the Hell!
How could that be? I started digging in to finding out more about this name and the email account shown and found out that she/he had been in my Gmail account list SINCE 2001 ! Then the vague memory that I mentioned above kicked in and I do sort of remember this name and that at the time I also had all kinds of computer grief.
At about that time my main computer and my laptop both got infected with multiple viruses that eventually caused me to give up, reformat and reload Windows, because all of the tools at hand were not able to remove the problems. I never tied the name Tamara to this problem, but it must have been so.
Through searching on Google I found where the same person had posted crappy nonsense comments on dozens of Blogs and message boards during 2001-2002. In each case the comment would tell the reader to contact them at that email address. So probably I did so, even though I know better now and never answer anything like that, I might have back then, and that is no doubt how the viruses got on my machines.
But it still does not answer how the heck that person could have gotten their email address in my Gmail forward to mail list? Do you think that they have been receiving copies of all of my emails for these many years? That does not seem likely or my life would be in a much bigger mess than it is. It seems more likely that they somehow might have access to my computer and use that account to send out spam messages. But still it is scary. How could it happen?
I would say that this is a security flaw Google. Someone else with a California ISP address being in my Gmail list should NOT be allowed. I’m sure you could put the blame on me after so many years. I just vaguely remember the situation, but I am ABSOLUTELY POSITIVE that I NEVER knowingly inserted that email address into my own account.
So what about you readers? Do you think this is an email security problem? Did you go to the Gmail Register page? Check your accounts. A little housekeeping might be in order. Our readers would love to hear from any of you that have had similar problems with email security, or if you have any questions or comments on this specific article. Leave a Comment.
Now I have to go through and do all of the above for each of my other five domain registrars and website hosting companies.
See you in the spring.
Rich
