The DigiNotar breach (“Operation Black Tulip”) is certainly likely to be a watershed in Internet security, and possibly in how we perceive cyberwar. But one lesser point may get lost: how vulnerable we are with a single username password to access all Google accounts.
Not only does that single account gain potential access to email and access to other accounts if that email address is used as the default account in the case of a lost password (or if it’s used as the sign-in for other services, a la Chrome web apps), but it also gains access to documents, photos, location information, contact lists and chat records within the Google domain.
This from the Fox-IT preliminary report on the breach:
The list of IP-addresses will be handed over to Google. Google can inform their users that during this period their e-mail might have been intercepted. Not only the e-mail itself but also a login cookie could have been intercepted. Using this cookie the hacker is able to log in directly to the Gmail mailbox of the victim and also read the stored e-mails. Besides that, he is able to log in all other services Google offers to users like stored location information from Latitude or documents in GoogleDocs. Once the hacker is able to receive his targets‟ e-mail he is also able to reset passwords of others services like Facebook and Twitter using the lost password button. The login cookie stays valid for a longer period. It would be wise for all users in Iran to at least logout and login but even better change passwords.
Worth thinking about spreading one’s accounts across several accounts and resisting the urge to use Google as one’s sign-in account for third party services.