Google Gmail Vulnerability Being Investigated

A known cross-site scripting glitch could let an attacker hijack messages sent to the victim's Gmail account by redirecting specific messages, says a security researcher.
A possible Google Gmail vulnerability that could allow an attacker to turn Gmail's filtering mechanism into a tool for covert information theft appears not to be directly related to a Gmail security flaw that Google fixed last year, according to Google.

In a post on the blog, Web developer Brandon Partridge on Sunday warned that an attacker can force an unsuspecting Gmail user to create a malicious message filter without his or her knowledge.

In so doing, the attacker can hijack messages sent to the victim's Gmail account by redirecting specific messages into the trash and forwarding a copy to the attacker, or so Partridge claims.

Google is unable to verify these claims at the moment and is trying to get more information from Partridge.

"We're trying to reach the blogger making this claim for more details, but we haven't seen evidence that this would be specific to Gmail -- we use standard industry methods for protecting cookies, similar to most Web services using HTTP," a Google spokesperson said in an e-mail. "In fact, we offer additional protection by offering the option of a secure connection (HTTPS) throughout the session for free."

The undisclosed technique, Partridge claims, can be used to seize control of an Internet domain that was registered using the Gmail account holder's e-mail address, if the domain registrar provides an e-mail-based information recovery process, as does.

Those familiar with the details of the hacking of Alaska Gov. Sarah Palin's Yahoo Mail account may recall the risks of Web-based information recovery schemes.

The exploit details haven't been fully revealed, but in a blog post on Monday, security researcher Petko D. Petkov of said the technique appears to be some form of cross-site scripting (XSS), rather than the cross-site request forgery vulnerability he identified last year.

"XSS flaws in Google are not unusual," said Petkov. "During the last couple of months there were a few privately disclosed exploits lurking around on various places."

Petkov reported partial details of a Gmail flaw back in September 2007.

Google maintains that it resolved that particular vulnerability in October 2007.

Nonetheless, in November 2007, someone hijacked graphic designer David Airey's domain, Airey attributed the domain theft to the Gmail flaw that Petkov identified, though other explanations may also be possible.

XSS attacks can, among other things, be used for stealing browser cookies. "Once the cookie is stolen, the malicious code creates a hidden iframe with a URL containing the variables that authorize Gmail to create a [malicious] filter for your account," Partridge explains in his blog post.

Partridge advises that Gmail users check their filters, under the Settings menu, to make sure there's nothing unexpected. He also advises using the Firefox add-on NoScript.