Serious vulnerability found in Gmail

Security researcher Petko Petkov has revealed a cross-site request forgery vulnerability in Gmail that makes it possible for a malicious web site to surreptitiously add a filter to a user's Gmail account that forwards e-mail to a third-party address.

Petkov's proof-of-concept exploit for this vulnerability, which has been independently verified but not publicly released, uses a multipart/form-data POST to send instructions to Gmail's internal API. The vulnerability can only be exploited when the user is currently logged in to the Gmail service.

This is the second major Google security vulnerability to be revealed this week. On Monday, security researcher Fernando Bedford provided a proof-of-concept exploit for a Google cross-site scripting vulnerability in Google's Blogspot polls API that facilitated e-mail hijacking and address book sniffing. That vulnerability was fixed by Google shortly after it was reported, but it is presently unclear whether or not the vulnerability discovered by Petkov has been fixed yet.

View: Full Article @ Arstechnica

Report a problem with article
Previous Story

Microsoft extends Windows XP's stay

Next Story

Microsoft Improves PHP performance in IIS

1 Comments

Commenting is disabled on this article.

I suppose it's a little Ironic that the critical flaw is a massive privacy concern when for a lot of people, gmail ITSELF is a massive privacy concern.
Personally though, I'd feel more privileged than anything else if I found out that some bored google employee was wasting their lunchtime reading my mail, which is more than I can say for myself these days.
But, getting back on topic, one good thing about gmail is it's spam filter, which has worked brilliantly for me so even if some dodgy site did get my emial, it's probably only going to end up as spam anyway.