 |
 |
 |
|
12.02.08 Gmail Security Vulnerability Found In Filter System  By
Philipp Lenssen Brandon at GeekCondition reports of a Gmail security vulnerability which lets an attacker set up automated filters in your Gmail account, provided the attacker manages to lure you onto a page of theirs first. Brandon does not post the full exploit (obtaining a certain variable for this exploit "is tricky but possible", Brandon says, adding that he's "not going to tell you how to do it, if you search hard enough online you'll find out how"), and I'm not sure if this works on just any browser. As automated filters can trigger mail addressed to you to be forwarded to someone else (and trashed in your account), some already had their domain name kidnapped due to this issue. To Gmail users, Brandon suggests "Check your filters and make sure that nothing seems out of the ordinary." Update: Google's Matt Cutts comments, "I believe the 2007 issue was fixed. What's strange is that the new post on geekcondition.com boils down to an unmentioned way of stealing cookies. I believe some Googlers were trying to contact Brandon soon after his post for more info, but haven't yet heard back. Hopefully we'll hear back soon and can check it out though." [Thanks Matt!] Update 2: Google says "we mounted an immediate investigation. Our results indicate no evidence of a Gmail vulnerability." [Thanks A.!] Comments
Google's Response To Gmail Security Vulnerability Google says that recent reports on a Gmail vulnerability aren't true (Google might mean this one at GeekCondition.com, as blogged here earlier; my emphasis in the quote): We've seen some speculation recently about a purported security vulnerability in Gmail and the theft of several website owners' domains by unauthorized third parties. At Google we're committed to providing secure products, and we mounted an immediate investigation. Our results indicate no evidence of a Gmail vulnerability. With help from affected users, we determined that the cause was a phishing scheme Google continues to write, "Several news stories referenced a domain theft from December 2007 that was incorrectly linked to a Gmail CSRF vulnerability. We did have a Gmail CSRF bug reported to us in September 2007 that we fixed worldwide within 24 hours of private disclosure of the bug details." I contacted Brandon at GeekCondition yesterday to find out more but haven't heard back from him yet. Comments About the Author: Philipp Lenssen from Germany, author of 55 Ways to Have Fun With Google, shares his views & news on the search industry in the daily Google Blogoscoped. |
|
| ||||
-- EnterpriseSecurityNews is an iEntry, Inc. publication -- iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509 2008 iEntry, Inc. All Rights Reserved Privacy Policy Legal archives | advertising info | news headlines | free newsletters | comments/feedback | submit article |
