Google cross domain bug proof of concept

Google's Gmail service suffers from security flaws that make it trivial for attackers to create authentic-looking spoof pages that steal users' login credentials, a security expert has demonstrated. Google Calendar and other sensitive Google services are susceptible to similar tampering.

A proof-of-concept (PoC) attack, published by Adrian Pastor of the GNUCitizen ethical hacking collective, exploits a weakness in the google.com domain that allows him to inject third-party content into Google pages. The result is this page, which allowed him (at time of writing, anyway) to display a fraudulent Gmail login page that displayed mail.google.com in the browser's address bar.

Link: The Register

Report a problem with article
Previous Story

Opera promises faster surfing with new browser

Next Story

Wal Mart decides to keep DRM Servers

10 Comments

Commenting is disabled on this article.

Doesn't surprise me one bit. Gmail sucks anyway! What a pice of crap e-mail!

Google pretty much sucks over all, IMO!

It IS NOT the greatest thing since the invention of the wheel either

Damn, and I like Gmail a lot better than Hotmail/Live Mail and Yahoo. I guess if Gmail sucks, the rest suck even more? And who's not sucking by the way?

Real nice comment. I have really liked google alot better than most other services. They offer more features than everyone else. I have considered hotmail but I don't like the lack of pop/smtp, imap, or ability to retrieve mail from other accounts. Oh and I have used gmail for my domain hosting. 0 problems since signup.

(shinji257 said @ #3.4)
Real nice comment. I have really liked google alot better than most other services. They offer more features than everyone else. I have considered hotmail but I don't like the lack of pop/smtp, imap, or ability to retrieve mail from other accounts. Oh and I have used gmail for my domain hosting. 0 problems since signup.

You can use Windows Live Mail application or the Outlook Connector to get your mail from your hotmail account. Both Outlook and Windows Live Mail support external pop3 accounts as well.

Lack of pop/smtp and imap from 3rd party client applications can be enabled as part of a subscription to MSN Plus/Premium.

You can also host your domains with Windows Live too. domains.live.com for anyone who is interested in trying it out.


As for google's bug, their software is in perpetual beta, its to be expected. They'll fix it soon enough.

All I can say to this would be, wow...

Wow in the fact the the register actually has something that is news worthy as well as wow to the story itself and how much this will fool people the more and more that the general public starts using more and more of googles' services.