Google Gmail Vulnerability Being Investigated - InformationWeek
Mobile // Mobile Applications
06:45 PM
Connect Directly

Google Gmail Vulnerability Being Investigated

A known cross-site scripting glitch could let an attacker hijack messages sent to the victim's Gmail account by redirecting specific messages, says a security researcher.

A possible Google Gmail vulnerability that could allow an attacker to turn Gmail's filtering mechanism into a tool for covert information theft appears not to be directly related to a Gmail security flaw that Google fixed last year, according to Google.

In a post on the blog, Web developer Brandon Partridge on Sunday warned that an attacker can force an unsuspecting Gmail user to create a malicious message filter without his or her knowledge.

In so doing, the attacker can hijack messages sent to the victim's Gmail account by redirecting specific messages into the trash and forwarding a copy to the attacker, or so Partridge claims.

Google is unable to verify these claims at the moment and is trying to get more information from Partridge.

"We're trying to reach the blogger making this claim for more details, but we haven't seen evidence that this would be specific to Gmail -- we use standard industry methods for protecting cookies, similar to most Web services using HTTP," a Google spokesperson said in an e-mail. "In fact, we offer additional protection by offering the option of a secure connection (HTTPS) throughout the session for free."

The undisclosed technique, Partridge claims, can be used to seize control of an Internet domain that was registered using the Gmail account holder's e-mail address, if the domain registrar provides an e-mail-based information recovery process, as does.

Those familiar with the details of the hacking of Alaska Gov. Sarah Palin's Yahoo Mail account may recall the risks of Web-based information recovery schemes.

The exploit details haven't been fully revealed, but in a blog post on Monday, security researcher Petko D. Petkov of said the technique appears to be some form of cross-site scripting (XSS), rather than the cross-site request forgery vulnerability he identified last year.

"XSS flaws in Google are not unusual," said Petkov. "During the last couple of months there were a few privately disclosed exploits lurking around on various places."

Petkov reported partial details of a Gmail flaw back in September 2007.

Google maintains that it resolved that particular vulnerability in October 2007.

Nonetheless, in November 2007, someone hijacked graphic designer David Airey's domain, Airey attributed the domain theft to the Gmail flaw that Petkov identified, though other explanations may also be possible.

XSS attacks can, among other things, be used for stealing browser cookies. "Once the cookie is stolen, the malicious code creates a hidden iframe with a URL containing the variables that authorize Gmail to create a [malicious] filter for your account," Partridge explains in his blog post.

Partridge advises that Gmail users check their filters, under the Settings menu, to make sure there's nothing unexpected. He also advises using the Firefox add-on NoScript.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll